In the mid-15th century BC the Old Testament (Hebrew) Bible describes the wandering of the Israelite people who had purportedly been released from Egyptian bondage by Divine hand. Some 70 years later they stood on the edge of the so-called ‘Promised Land’, waiting to wage war on the peoples within. But before any attack, the patriarchal leader Moses ordered the first ‘penetration test’ I could locate in recorded history. In simple terms, Moses sent in spies to test out the defences of the land. This is what they reported to Moses (Numbers 13:27):
We entered the land into which you sent us, and it is indeed flowing with milk and honey, and this is its fruitage. Nevertheless, the people who dwell in the land are strong, and the fortified cities are very great. We also saw the Anakim there … and the Canaanites are dwelling by the sea and along the Jordan.
This was, by any definition, an aggressive, well-planned penetration test. Their mission was to test the ability to penetrate the defences of the target and the test successfully highlighted a number of positive opportunities and also issues for them to address:
• The target was asset rich, metaphorically ‘flowing with milk and honey’. This meant that there were high-value goods to be captured making it worth the effort to attack.
• Fortified cities. The defences were strong.
• They ‘fingerprinted’ the peoples, their locations and strengths.
Fingerprinting is a term used when planning both technical and social engineering type attacks. It is the act of gathering certain attributes of a computer or person and drawing conclusions from that data to help make an attack more successful. A more common term used when gathering data on individuals is ‘profiling’.
This metaphor demonstrates exactly the elements that make up the purpose and the desired results of an ‘aggressive’ penetration test against an organisation’s technical and personnel infrastructure. To deploy technical measures, to discover high-value targets, to fingerprint the defences and identify vulnerable resources which need to be exploited to gain access to, or perhaps destroy, the high-value elements.
HOW DOES THIS AFFECT MY ORGANISATION?
Every company, organisation or agency has their ‘milk and honey’, something worth stealing, exploiting or destroying, and it is fundamentally the steps taken by Moses that an attacker would employ to attack your business. An attacker would ask the following questions:
1. Does your organisation have something I want to exploit, steal or destroy?
a. information;
b. intellectual property;
c. money;
d. reputation;
e. conduit to another business with any of the above.
2. What are the defences in place to protect these assets?
a. Can I potentially attack or circumvent the defences?
b. Can I coerce, bribe or otherwise leverage an employee?
3. Once inside your network, what can I expect, what can I do, how do I get to my target?
The problem is that we all tend to see our business or organisation in the paradigm of what it makes, sells, employs or otherwise. We do not naturally look at it as an attacker would. For example, your organisation may value its customer list and see risk in terms of what a competitor could do with it. However, an attacker may instead see a customer list as an opportunity to use the data to carry out identity theft, use bank details to steal money, sell stored credit card details and many other possibilities. Indeed, the result of a successful hack may have losses that were not as easy to foresee.
A cyber attack, otherwise known as a ‘hack’, is a modern colloquial term meaning the accessing of a digital asset such as a computer, device or an entire network by a person or group, without permission of the owner. The term hacker used to have a positive connotation, relating to a computer programmer or engineer, but has changed in the last 20 years to mean a person who would attempt to attack a digital asset for a variety of reasons.
A good example of this was the cyber attack against the mobile and broadband operator TalkTalk in October 2015 (Hodge, 2016). Considerable sums are spent by the company every year protecting the mobile and internet networks it operates and ensuring that private call data is safe from attackers. However, the hack against an arguably softer part of the network resulted in the loss of 150,000 customer records; 15,000 of these included bank account details. Interestingly, in this case, there was no suggestion that these details were used to attack individuals, so it may appear that there was no lasting harm done.
Was there a cost to TalkTalk? Its own figures pointed to a loss of 95,000 customers in three months specifically due to the hack, losing the company an estimated £60 million, perhaps more. Was the hack the result of a nation-state attack or the attention of a crime group? No, in 2016 a 17-year-old boy stood trial for the hack, carried out from his bedroom, and was given a 12-month youth rehabilitation order (Burgess, 2016; ITV News, 2016).
The best type of penetration test will not only probe your network but also identify the risks, the ‘milk and honey’ of your organisation and recommend methods to mitigate loss.
WHY CARRY OUT A PENETRATION TEST?
Your organisation, in fact every organisation, is a target. A small car repair garage could be a target for ransomware, perhaps asked to pay just £100s to unlock data encrypted by malware, which may be a significant sum to a small business. A mid-sized software house may have unreleased software worth stealing; a pharmaceutical company’s intellectual property could be worth millions; even a free online forum may contain user data that would be useful or valuable to an attacker. Every organisation has something worth acquiring. Aside from that, an attacker may just access a network and destroy data, simply for the challenge, just because it’s there.
Too often we see penetration tests being carried out purely to tick a proverbial box for the company board. It may be that the only motives for having a penetration test carried out are for attaining a security standard, fulfilling a contract or insurance terms or simply because it’s the right thing to do. Although these are sound reasons, the primary purpose should be to fully test and understand vulnerabilities that may exist within your organisation. When a penetration test is done just to ‘tick a box’, the resulting report is often read (sometimes just the Executive Summary) and filed until next year with often limited action being taken.
An effective penetration test should fully emulate what a prospective attacker would do, results should be considered and where possible, solutions and fixes implemented.
The top three key benefits of penetration testing to businesses, cited by respondents to a BCS penetration survey undertaken in March 2017,1 were:
• identification of security weaknesses;
• assurance;
• compliance.
Getting proactive
If an attacker is going to ask questions of your network, those responsible for the business need to ask them first. It is concerning to note that in many organisations the task of protecting the organisation from attack falls squarely in the hands of the IT department. This is the wrong place to start. The board, following consultation with pertinent departments such as IT, legal and compliance, along with key leaders such as the chief information officer (CIO) and chief information security officer (CISO), should first identify the likely business targets and think through the possible risks, from the irritation of adware appearing on computers to the risks that could result in a business-ending event. Those decisions should not just be the domain of IT – part of it, yes – but management should be driving that conversation.
Unless your business has virtually unlimited resources to spend on consultants, the most effective penetration tests are the ones defined by the organisation itself. An external penetration test company will not be able to easily understand the nuances of your business and a board that has thought carefully about the business-affecting risks can more efficiently target a penetration test against the right assets. This does not mean that a penetration test should always be carried out internally, indeed there are arguments against that, but simply that targets are more easily defined by an organisation. Perhaps the best balance is for a business to define and identify its weaknesses and have those tested both internally and by an experienced external resource.
PENETRATION TESTS WON’T ALWAYS STOP YOU BEING HACKED
In 2016, we at CSITech spent three months planning and executing a penetration test attack against a large bank. We were successful, lessons were learned, holes were plugged and defences hardened. A month later the head of international banking received an email from ‘[email protected]’, asking for $2 million to be transferred to an account in the Middle East immediately. So, he paid up. Our penetration test did its job and improvements were made, but we had not accounted for a person who could not identify a badly constructed phishing attack. This highlighted an area for corporate training.
Phishing. This word indicates an attempt to coerce a person to act in a way beneficial to an attacker. This is a social engineering attack. This may be by phone, email or other means. Usually the word is used when related to an email to many individuals, perhaps asking them to click a malevolent link or respond with information useful to the attacker. A targeted attack against a specific individual is termed a spear-phishing attack.
It is vital that appropriate expectations are set for the board when signing the contract on a penetration test. Penetration testing is a crucial exercise, but it is possible that a test will not highlight an area which is later exploited. Penetration testing can never cover all the bases.
Don’t forget the employees
Your organisation undoubtedly has spent significant resources hardening your network. You install firewalls, intrusion detection systems, anti-virus scanners and a host of other technological defences. The problem is that organisations then make the critical ‘mistake’ of filling the organisation with people. People like to help – but in the security world, that is bad. We train them that way, we tell them that the customer is always right (bad), that you should ‘go the extra mile’ (also bad).
Now, this is, of course, a facetious view of the subject. We need reception staff to smile and be helpful, we need customer relations to not be suspicious of every phone call and email. However, as with the example above, the vast number of modern attacks against companies start with some type of what is termed a ‘social engineering’ attack – essentially, manipulating a human rather than a computer to provide them with information that will often make a resulting technical attack easier. Consider some highly simplified examples:
• ‘Hello, this is Sam in IT’ (it’s not). ‘Have you changed your password recently? No? Let me talk you through it and help you choose a strong one.’
• ‘I wonder what’s on this USB key I found on the floor in reception…’
• ‘Hello friendly receptionist, I have an interview, but spilt coffee on my CV, could I quickly use your computer to access my email and print a replacement?’
• ‘I’ve got an email with a £50 voucher for my favourite clothes store, I must be on a mailing list, I just have to click this link…’.
It is easy to see how, if professionally done, these examples could work, providing an attacker with network access without ever attacking or hacking your expensive firewall. Many other examples can be found at www.phishing.org/phishing-examples.
Frequently these attacks are the result of internet-based research, often called open-source intelligence gathering, carried out by an attacker to glean vital information that they can use to improve the likely success of a social engineering approach or a direct technical attack.
The hacking group Anonymous coined the term ‘doxing’, essentially finding all the documents on a person or company.
Your organisation, or a third party, should be looking at what information the company leaks through social media, forums, websites and the like.
Modern penetration testing should always include the testing and training of your staff to detect these types of attacks.
An attacker may want to know what firewall your organisation uses. This can be achieved using technical measures but could be easy to detect. They may use a simple Google search to provide possible answers. For example, perhaps you want to know what firewall technology a company uses. Try typing the following into Google:
site:linkedin.com firewall company name
This simple search will just look at entries on the LinkedIn site that contain the words ‘firewall’ and the name of the company. By clicking a link and looking at persons on LinkedIn can you discern what firewalls are likely in use by looking at the skills of people who work there? Try it with your own organisation – you may be surprised…
STAYING CURRENT WITH EMERGING RISKS
Although crimes such as burglary, fraud, destruction of property and suchlike are as old as civilisation, their application to technology is much more complex. Whereas a property can only be broken into via doors and windows, the ability of an attacker to break into a network shifts and changes with every passing day. Unlike a building, the potential entry points of a network are constantly altering. How so?
A network is a sum of many parts, this could include routers, computers and mobile devices but now extends to the Internet of Things, such as cameras, building control systems, even equipment that controls industrial machinery. Each of those parts contains software and hardware that may be found to be vulnerable to some type of attack. Once a vulnerability is discovered by or disclosed to a hardware or software vendor, they will usually (but not always) move to patch that problem. This corrective measure can, however, result in new vulnerabilities being exposed and the problem continues.
In 2008 in Refahiye, Turkey, an oil pipeline exploded. It was first thought to be an industrial accident until it was discovered that 60 hours of CCTV had been deleted from servers, and a camera on a separate network showed shadowy figures with a laptop snooping around a control box during the night. The investigation showed that control systems had been remotely hacked to increase the pressure in the pipe resulting in an explosion. Were the control systems vulnerable? No, a simple vulnerability in the monitoring CCTV system, which was on the same network as the control systems, was used to tunnel into the critical control infrastructure, resulting in the destruction of the pipeline (Hazardex, 2014).
This shifting ‘threat landscape’ makes staying up to date with potential risks a complex task. The primary solution is to have robust procedures for patch management. It is likely that your IT team routinely upgrades server and desktop operating systems – indeed, the deployment of these patches is often automated. Automating patch management is controversial: if an update from a software or hardware supplier is flawed or compromised, this could cause other system problems, crashes, compatibility issues with connected devices and so on. Some organisations delay and test updates to ensure that unforeseen problems are minimised; however, conversely, this approach extends the time for an attacker to exploit non-updated code.
However, the same attention is not given to software and firmware patches relating to systems that may slip into a different department’s oversight. For example, we regularly see CCTV systems still configured with their default firmware and passwords, even though many patches have been released. The same is true for building control systems, radio-frequency identification (RFID) entry systems and similar. This is often because oversight for the system sits elsewhere from IT and the owners are not security aware. Fundamentally, the technical responsibility for security of any system connected to the network should lie within the IT or network security team. Of course, sometimes these systems are maintained and supported by third-party organisations who may not have the same motivation to upgrade and patch systems as your own staff. Risks and benefits need to be balanced when outsourcing support.
Another problem is the long-term issue of support of hardware and software. Manufacturers seem to be increasingly keen to cease development and support of products soon after new versions are released. This can leave assets vulnerable to newly developed attacks.
Also worth considering is that a person bringing a device into work and connecting to the network via a cable or Wi-Fi may introduce an ‘invisible’ attack vector. A good example of this is employees plugging-in their own wireless router into the company network so that their iPad or another device can access the internet. Often these have default passwords or are mistakenly left without encryption turned on, providing an open door for an attacker who may scan your premises for open Wi-Fi networks.
Another method for a manager to keep up to date with vulnerabilities that could affect their company is by monitoring specialist search engines such as Shodan.2 Shodan enables a manager to search for devices of interest, and receive a list of known vulnerabilities. This is constantly changing, so searches should be done routinely.
In addition to your own research and policies, any penetration test that is carried out on your network should report not just what you know, but what you do not know. You should be thinking outside of the proverbial box, looking for vulnerabilities that exist using both direct attacks but also considering the lateral approaches that could be employed that you may not have considered.
A good penetration test team will learn about the business and, rather than simply run network scanners and produce automated reports, will strive to identify the areas of risk, the likely threat actors and understand methods that could be employed against you. This should include social engineering attacks as mentioned previously.
WHY ALL MANAGERS SHOULD BE INTERESTED IN SECURITY…
In 1989 Ronald Reagan said ‘Information is the oxygen of the modern age. It seeps through the walls topped by barbed wire, it wafts across the electrified borders’.3 Information pervades every part of an organisation and it is that very information that can be valuable to an attacker but also the fuel by which to launch an attack. As information is generated or used by every department it is beholden on each manager of a department to be security aware to an appropriate degree.
For example, human resources hold significant information on employees and the organisation and the manager should be aware of the risks of mistakenly releasing or losing any of that data, providing appropriate training to their team.
Customer relation teams need to be well trained by their manager in understanding what data is appropriate to share with an external caller. Reception managers should understand policies relating to physical access to the building and what information is appropriate or inappropriate to be shared with a visitor.
All managers need to be aware of security risks and educate their teams to recognise everything from general phishing emails through to well-researched and crafted spear-phishing attempts to extract information or request actions to be taken.
IMPACT ON THE ORGANISATION OF NOT PENETRATION TESTING
Penetration testing can be a time-consuming and reasonably costly process to do properly. It is for these reasons that organisations often sideline this task, instead trusting that IT are doing their job correctly, and that the investment in security hardware and software should do the job fine. This thinking is a false economy – and could cost you dearly. As was previously explained, the cyber-attack surface is an ever-changing environment and both testing internally while also enabling an experienced third party to test your environment is a critical task. Let’s consider the risks and likely costs of not penetration testing your organisation.
Indirect risks or costs here include the following:
• Not being security aware, at board, management and employee levels, leaves the company exposed to a range to attacks via technical and social engineering means.
• A serious hack of your business may have to be disclosed due to due-diligence, General Data Protection Regulation (GDPR) reporting or trade body rules. Investors, for example, may ask for disclosure about pre-planning and pre-testing that was done to avoid any loss. If there is little or no pre-testing this can have a detrimental effect on share price. Hence, a hack which actually resulted in no direct financial loss can result in significant loss via the company’s share value.
• A loss of information can result in serious reputational damage which could affect suppliers, and existing and potential customers. This is very difficult to quantify ahead of any attack. However, looking at reputational losses from others in your sector can help you to model the potential effects.
• Cost of post-event forensic investigations can be lengthy and expensive. Indeed, a full investigation into a cyber attack can easily cost more than a penetration test. Although security holes may be found and closed, the possibility of detection of a perpetrator resulting in a prosecution is rare unless the police are involved. Sadly, squeezed budgets and resources often mean that the police will only take on cases that are the most high-profile or where there are extensive losses.
Direct risks or costs here include the following:
• Loss of intellectual property (IP) can have significant effects. For example, a simple attack against a small pharmaceutical company resulted in the loss of recipe IP for certain health foods it manufactured. The financial losses were undetected for over a year until a company director saw copies of its products for sale during a trip to China. The losses were significant, as selling its legitimate product into the country at much higher prices became impossible. Legal challenges hit constant dead-ends and the failed litigation costs added to the overall losses.
• Compensation payments may also need to be made to customers that have had their details stolen. For example, a mobile phone company lost 2 million records in 2012, and although it did not make direct compensation payments to customers, it was directed by the telecoms regulator to provide a two-year subscription to a fraud detection service to each affected person. This cost the company an estimated £20 million.
• Loss of money. A cyber attack may take the form of a hack against the network or can be a simple variation of the ‘false-invoice’ attack. If the accounts system can be penetrated, then false invoices can be inserted and often payment made without any detection. A good example is the account of the bank mentioned earlier in the chapter where a simple email asked for money to be transferred, and it was.
• Fines from regulators. If your organisation is regulated by, for example, a telecoms or financial regulator, then it may fine you if it is not satisfied that your pre-attack and post-attack planning and execution was up to standard. For example, the Financial Conduct Authority (FCA) can impose a maximum penalty of £500,000. Since GDPR came into effect in mid-2018 there are also fines that can total €20 million or 4 per cent of international revenue.
Penetration tests alone will not eliminate all the possibilities of a successful cyber attack, but pre-planning, carrying out penetration tests and even role playing the attacker can help to mitigate the effects and costs.
We have seen that every business has its ‘milk and honey’ which attackers may want to steal, leverage or destroy. It is vital that the likely targets are clearly identified, protected and then their defences rigorously tested. Although the IT department has the primary technical role of caring for computer-based resources, the role of identifying business-critical targets needs to fall squarely with the board. Hence, multi-departmental collaboration is essential in planning penetration testing, enabling diverse skills and interests to be represented and dealt with appropriately.
An oft-repeated mantra is that ‘security is the responsibility of the individual’. This requires all staff being trained in basic security practices and then having that training tested. Skills such as being able to recognise a social engineering attack or a phishing email can stop attacks or technical exploitation of a network right at the point of entry.
Planning, training and collaborative working are the elements needed for a successful security environment.
Burgess, M. (2016) TalkTalk hack toll: 100k customers and £60m. Wired, 2 February 2016. Available at: www.wired.co.uk/article/talktalk-hack-customers-lost
Hazardex (2014) Russian hackers now thought to have caused 2008 Turkish oil pipeline explosion. 21 December 2014. Available at: www.hazardexonthenet.net/article/88497/Russian-hackers-now-thought-to-have-caused-2008-Turkish-oil-pipeline-explosion.aspx
Hodge, N. (2016) TalkTalk’s £400,000 data hack fine is a dire warning. Compliance Week, 8 November 2016. Available at: https://www.complianceweek.com/talktalks-400000-data-hack-fine-is-a-dire-warning/2879.article
ITV News (2016) Boy, 17, behind massive TalkTalk data hack sentenced to 12-month rehabilitation order. ITV Report, 13 December 2016. Available at: www.itv.com/news/2016-12-13/boy-17-behind-massive-talktalk-data-hack-sentenced-to-12-month-rehabilitation-order/