Crisis is a catalyst for change. No bigger crisis has struck the world in 2020 than the COVID-19 pandemic, and the effect this has had on how people work has been dramatic. The rapid transition to remote working has left I.T. teams worldwide desperately attempting to keep up. This has naturally led to oversights. Whether it is a single poorly configured VPN, or an Azure tenancy with a multitude of permission issues – the holes in the armour of corporations started appearing in March and have only been added too since.
All roads lead to Rome, and all security flaws eventually lead to a breach. There have been a record number of such breaches in 2020 already, with the pandemic only exacerbating the frequency of attacks. The breaches themselves cause consumers to lose faith in companies, and in the event of ransomware attacks business can halt for hours or even days. But even if the beach only discloses information and the business can keep trading, the long arm of the ICO has been handing out large fines for breaking the GDPR. Rebuilding after a breach can seem an insurmountable task – but Penetration Testing is your friend here.
A blasé attitude towards being breached is a sure fire way to lose customers. A post breach pentest report goes a long way in assuring clients, and internal senior management, that this is being taken seriously. Thus, having a plan in the event of a breach is vitally important. Now, this plan should have many facets – but the primary goal is this; identify the attacked resource, identify how it was attacked, and remediate any issues. Pentest People’s expert consultants can help with step two.
The aims of penetration testing are normally straightforward, a consultant will assess each individual element of the target and see if they can identify and then leverage vulnerabilities in it. However, when Pentest People are involved in post-breach testing, the aims change. No longer are we looking for common misconfigurations like weak cipher suites, but instead are modelling a threat actor in order to conclude what the most likely attack vector is. This allows companies to focus their remediation efforts, whilst also reassuring consumers that the breach is being taken seriously. Tales from real engagements always demonstrate problems and their solutions more effectively, and what follows is an engagement that happened back in August.
A company we had provided security testing to before (although we had not assessed this particular application) had been breached. A threat actor had successfully injected malicious code into their website, and defaced it. One of Pentest Peoples Managing Consultants was immediately given this assessment, and I was assigned to aid him. The most likely attack vector was a credential stuffing / brute force attack on the administrative console present. This was compounded by our OSINT investigation as part of the assessment, and that the client had only enabled verbose logging after the successful breach.
The second attack vector, whilst admittedly less likely, highlights one of the ongoing problems with third party resources. In technical terms, one of the third party resources wrote data from document.location.href to an ‘a’ tag. If an attacker found a way to influence document.location.href in such a way that they ‘broke out’ of said ‘a’ tag, they would be able to deface the application in this manner. Essentially, an attacker need not go after the application if the application relies on vulnerable resources.
So, clearly getting penetration tests done after a breach is key in identifying how it happened and assuring customers that it won’t happen again. But these assessments should be being carried out yearly at the very minimum. A defence in depth approach is not just a buzzphrase to be bandied about in meetings, you actually have to do it. Applications, API’s and all the flavours of infrastructure must be subjected to stringent security reviews. More recently, previsions to allow employees to Work From Anywhere also need to be tested. Whether this is a swift transition to Microsofts Cloud Offerings, or a newly installed Remote Desktop implementation, penetration tests on these business critical services form the backbone of this defence in depth.
However, all the security testing in the world cannot compete with good and regular staff training. If staff do not know how to avoid phishing emails or calls, then having bullet-proof application and infrastructure security is much of a muchness. Why would an attacker spend hours attempting to breach services when one or two well placed phone calls would achieve the same thing? This brings us onto one of the most important parts of the new world of work. Communication. Communication is one of the best ways to alleviate what is often a company’s largest threat landscape, their employees.
There is often a gap between companies internal I.T. departments and the rest of their workforce. This gap is borne by nature of the kind if interactions that normally happen between these two sectors; that is, normally something has stopped working and both parties need it fixed quickly. This kind of stress leads to primarily negative interactions, and this has to be counteracted by (you guessed it) more communication. Fostering a true team spirit will make all your employee’s more productive, and will ultimately ensure a higher level of security.
The primary takeaway from all of this is simple; security should be prevalent in all areas of a business. Achieving that security takes a lot of work, and playing catchup is no easy feat, but it all starts with people. Get everyone talking to your I.T. department, and more importantly get your I.T. department talking to everyone. Educate staff, don’t lecture them. And most importantly test, test and test again.
Security in 2020 is no easy thing, but getting secure doesn’t have to be an overwhelming challenge. Stay safe out there,