Crisis is a catalyst for change. No bigger crisis has struck the world in 2020 than the COVID-19 pandemic, and the effect this has had on how people work has been dramatic. The rapid transition to remote working has left I.T. teams worldwide desperately attempting to keep up. This has naturally led to oversights. Whether it is a single poorly configured VPN, or an Azure tenancy with a multitude of permission issues – the holes in the armour of corporations started appearing in March and have only been added too since.
All roads lead to Rome, and all security flaws eventually lead to a breach. There have been a record number of such breaches in 2020 already, with the pandemic only exacerbating the frequency of attacks. The breaches themselves cause consumers to lose faith in companies, and in the event of ransomware attacks business can halt for hours or even days. But even if the beach only discloses information and the business can keep trading, the long arm of the ICO has been handing out large fines for breaking the GDPR. Rebuilding after a breach can seem an insurmountable task – but Penetration Testing is your friend here.
A blasé attitude towards being breached is a sure fire way to lose customers. A post breach pentest report goes a long way in assuring clients, and internal senior management, that this is being taken seriously. Thus, having a plan in the event of a breach is vitally important. Now, this plan should have many facets – but the primary goal is this; identify the attacked resource, identify how it was attacked, and remediate any issues. Pentest People’s expert consultants can help with step two.
The aims of penetration testing are normally straightforward, a consultant will assess each individual element of the target and see if they can identify and then leverage vulnerabilities in it. However, when Pentest People are involved in post-breach testing, the aims change. No longer are we looking for common misconfigurations like weak cipher suites, but instead are modelling a threat actor in order to conclude what the most likely attack vector is. This allows companies to focus their remediation efforts, whilst also reassuring consumers that the breach is being taken seriously. Tales from real engagements always demonstrate problems and their solutions more effectively, and what follows is an engagement that happened back in August.
A company we had provided security testing to before (although we had not assessed this particular application) had been breached. A threat actor had successfully injected malicious code into their website, and defaced it. One of Pentest Peoples Managing Consultants was immediately given this assessment, and I was assigned to aid him. The most likely attack vector was a credential stuffing / brute force attack on the administrative console present. This was compounded by our OSINT investigation as part of the assessment, and that the client had only enabled verbose logging after the successful breach.
The second attack vector, whilst admittedly less likely, highlights one of the ongoing problems with third party resources. In technical terms, one of the third party resources wrote data from document.location.href to an ‘a’ tag. If an attacker found a way to influence document.location.href in such a way that they ‘broke out’ of said ‘a’ tag, they would be able to deface the application in this manner. Essentially, an attacker need not go after the application if the application relies on vulnerable resources.
So, clearly getting penetration tests done after a breach is key in identifying how it happened and assuring customers that it won’t happen again. But these assessments should be being carried out yearly at the very minimum. A defence in depth approach is not just a buzzphrase to be bandied about in meetings, you actually have to do it. Applications, API’s and all the flavours of infrastructure must be subjected to stringent security reviews. More recently, previsions to allow employees to Work From Anywhere also need to be tested. Whether this is a swift transition to Microsofts Cloud Offerings, or a newly installed Remote Desktop implementation, penetration tests on these business critical services form the backbone of this defence in depth.
However, all the security testing in the world cannot compete with good and regular staff training. If staff do not know how to avoid phishing emails or calls, then having bullet-proof application and infrastructure security is much of a muchness. Why would an attacker spend hours attempting to breach services when one or two well placed phone calls would achieve the same thing? This brings us onto one of the most important parts of the new world of work. Communication. Communication is one of the best ways to alleviate what is often a company’s largest threat landscape, their employees.
There is often a gap between companies internal I.T. departments and the rest of their workforce. This gap is borne by nature of the kind if interactions that normally happen between these two sectors; that is, normally something has stopped working and both parties need it fixed quickly. This kind of stress leads to primarily negative interactions, and this has to be counteracted by (you guessed it) more communication. Fostering a true team spirit will make all your employee’s more productive, and will ultimately ensure a higher level of security.
The primary takeaway from all of this is simple; security should be prevalent in all areas of a business. Achieving that security takes a lot of work, and playing catchup is no easy feat, but it all starts with people. Get everyone talking to your I.T. department, and more importantly get your I.T. department talking to everyone. Educate staff, don’t lecture them. And most importantly test, test and test again.
Security in 2020 is no easy thing, but getting secure doesn’t have to be an overwhelming challenge. Stay safe out there,
The Importance of Managing and Securing Your Network in the New WFA world
Virtual Round Table Event – January 14th 2021
With the WFA (work from anywhere) culture expanding, PAV i.t. services have brought together a consortium of organisations who have significant insight or provide key technologies that we believe are essential for all organisations such as yours at this point in time. The consortium includes Wells Technology, Gauntlet Group as well as Comstor and CISCO. The consortium represents an organisation focusing on CISO / CIO guidance, the insurance industry and world-wide suppliers of networking and security products. Additionally, @PAV is an IT services company which has more than 250 customers and brings a unique service first approach to the technology considerations as outlined within this campaign.
Over the coming weeks, the consortium will provide you with tailored blogs and webcasts where our sole intention is on the provision of knowledge that helps you to formulate a plan that addresses the following key questions:
- How can your organisation maintain effective communications between applications, clouds, staff when more often than not, your staff are increasingly working from anywhere (WFA)?
- How can high levels of organisational collaboration be secured within an online / digital world?
- How can your organisation provide efficient management of networking solutions in this ever more complex IT environment?
- Should your organisation be worried about the costs of being breached?
- What are the legal ramifications of being breached and having proprietary / sensitive / PII information exposed?
- What are the key recovery considerations following a breach?
- What are leading / innovative organisations doing and what lessons should less WFA aligned companies learn?
For more details and to register your interest in attending our virtual round table even on January 14th CLICK HERE