Penetration testing has become a term synonymous with information security.
Often the stuff of legends, penetration testers spin tales of breaking bank vaults and cracking wireless networks, of perforating firewalls and “rooting” servers. One by one companies fall to white hat hackers armed with Metasploit and cases of Mountain Dew.
The problem with penetration testing is that in many cases, it’s not doing the client organization any good. It may seem odd that something as popular as pentests could be doing so little for companies that perform them, but there are many reasons why this is true.
Here are just a few:
- Compliance Takes Priority – Organizations in banking, healthcare and critical infrastructure, among other industries are required to perform annual penetration testing. But they aren’t required to care about the results and they aren’t required to be secure. Getting your penetration test checkbox doesn’t require much, and many organizations aim low and still miss the ten ring.
- Clients Limit Test Scope – Many organizations become their own worst enemy by limiting the assets that are tested. By excluding the CEO from social engineering or cloud applications from SQL injections, some of the greatest vulnerabilities are left unexposed and subsequently unmitigated.
- Testing is Inconsistent – Any IT provider with a vulnerability scanner (yes a vulnerability scanner) can offer “penetration testing” services. Service definitions vary across providers, organizations and regulations. This inconsistency makes shopping for a pentest similar to shopping for a mattress – you’re usually comparing apples to orangutans. In the worst case testing results can give organizations a false sense of security.
- Testing is Unrealistic – If your security provider tells you that they’re going to “pentest your firewall”, do yourself a favor and end your contract. The kids from Romania aren’t going to pentest your firewall, so neither should your security provider. Good penetration testing should simulate a real-world attack. Sensitive assets like intellectual property, sensitive information and bank accounts should be targeted, just as they are in real life.
- It’s Not for Everyone – Pentests are great if the results are meaningful and useful. If your security defenses aren’t mature, there’s no sense turning them into swiss cheese just to prove that it’s possible. Instead, use that money for something productive like an assessment or an Incident Response Plan for when something bad happens for real.
If you’re looking for penetration testing standards, you may be surprised to know that there is little out there. NIST has provided some guidance around security testing, but there is only one small section on pentesting.
There is another emerging standard for penetration testing that is getting some attention. Called the Penetration Testing Execution Standard (PTES), it provides recommendations for exploitation, intelligence gathering and perhaps most importantly, reporting.
If you are about to embark on a penetration test, ask your security provider if they utilize these or other standards for testing. Also ask yourself what your goals are and if you’ve set yourself up to be successful.
Your pentest should be as realistic as possible without introducing unnecessary risk. It should target the things that are most important to you, and it should be performed without the knowledge of your organization so you can monitor how well they react to these situations. You should include all of your assets in the test unless there’s a compelling reason not to. Potential embarassment is not a compelling reason.
The security provider that you select should be knowledgeable and experienced. They should utilize a standard for security testing. They should know the difference between a vulnerability scan and a pentest. They should understand that the goal of the test is risk reduction, not legends and campfire stories.
And if you’re lucky, you’ll figure out where the holes are before some kids in Romania do.
The United States Military has spent a lot of time and money developing its Special Operations forces. These elite teams of security operatives are highly trained to shoot, move and communicate under duress, with little or no advance notice of their impending scenario. Most missions involve dynamic entry, assessment and neutralization of threats, all while achieving a primary objective.
Seal Team 6 is the most famous of all the Special Operations teams. These are the operatives that led the capture and termination of Osama bin Laden, the maritime rescue of American sailors on the Maersk and the recent recovery of foreign journalists held hostage by Al-Shabaab terrorists. The best of the best has handled the worst of the worst.
Imagine what you could get done if you had your own Seal Team 6.
Think it sounds crazy?
On the surface, this legendary team appears to have accomplished near-mythical tasks. Once you start to break their missions and objectives down into their most basic milestones, actions and counteractions, however, their methods become much simpler.
Like Seal Team 6, cybersecurity has become a household word and responding to security incidents has become a common occurrence. Intellectual property, sensitive data and bank accounts have never been more at risk, and detecting, containing and correcting security incidents requires planning, practice and grace under pressure. Once developed, your Computer Incident Response Team (CIRT), Special Operations Team (SOT) or whatever you call it (just don’t call it Seal Team 7, that’s taken) will give your organization a “force multiplier”.
Force multipliers are assets that give your organization a strategic advantage and increase the effectiveness and efficiency of overall operations. These assets, or teams multiply the force of your organization because they carry out tasks that would normally require much greater resources to accomplish. This is possible due to the highly trained and focused nature of the team.
And yes, you can have your own.
Here’s what you need:
- Find the right operatives – Incident responders are born, not made. This isn’t completely true, but it takes a certain mindset and attitude to gain situational awareness, remain calm and lead when an organization is under attack. These skills are tough to teach. You probably already know who your operatives are. If you don’t, stop here and look for a qualified security provider that already delivers Incident Response services.
- Select the right weapons – A good shooter can make a bad gun shoot well. You don’t need the most expensive security tools, but you do need to make what you’ve got work effectively. If you’re about to embark on a digital forensics mission, you better have the right tool in your bag. And carry a backup. Your tools should meet their requirements and work consistently.
- Train, train, train – Training is the most important of all, and it should incorporate the following:
- The basics – Every Navy Seal is required to qualify with a rifle every year, regardless of his or her rank. It’s part of being a Seal. The ability to shoot, move and communicate makes our Military the greatest on Earth. Your CIRT resources should understand the basics of threat modeling, analysis, communication and tool manipulation. No exceptions.
- Scenario drills – Your training should incorporate regular attack and counterattack simulations – these should be as real as possible. Good penetration testing is critical, but tabletop exercises and other drills are important parts of the program. Training should incorporate “unplanned” scenarios, performance assessments and any analysis that will help the team perform during a real situation.
- Bugout – Training should include handling worst-case scenarios, or what the Military calls SHTF. When things really get sideways, you need to know what to do, when to do it and who’s going to do it. Crisis Management should integrate with your Incident Response Plan.
Regardless of what industry you’re in or what size your company is, at some point you will become a statistic (if you haven’t already). A Special Operations team specifically trained and ready to handle incidents could mean the difference between an achieved objective and a botched mission.
You may not be hunting terrorists or saving foreign diplomats, but your CEO might just give you a Medal of Honor.
In January of 2004 I spent three weeks in Northern Africa. It was one of the most memorable trips of my life.
The second half of my trip would be spent in Morocco with close friends, being catered to by personal attendants, drivers and handmaids, dining on the finest couscous and staying in chic riads. The first half of the trip was spent in Tunisia, a third-world country that has for years suffered through political turmoil. Most of Tunisia is uninhabited, rough and Islamic, which was simultaneously exciting, frustrating and frightening.
It was also educational.
Tunisia is an amazing country. Undiscovered beaches, the endless dunes of the Sahara, ancient ruins, bustling souks with fresh fruit and spices and the planet’s largest herd of camels.
Tunisia is also the world’s largest olive grove. No ladies and gentleman, it’s not Greece. There are only a few roads in Tunisia, but all of them seem to go through olive groves. You can drive for hours with olive trees outside both driver and passenger windows.
When I first arrived in country, I was met by Muslims with machine guns. Which I expected. And appreciated.
In 2004 my security career was rather young, but I was no less exuberant. If they had decided to strip search the only white guy in Tunisia I would have been inconvenienced but impressed.
Little did I know when I arrived that Tunisia would teach me a few things about security.
On the last full day of my trip I visited Carthage, the ancient coastal ruins where Hannibal became famous. Satisfied that I had filled my quota of digital pictures, I headed for the train to begin the trip back to my hotel. I needed to pack, eat and make some calls to arrange for my trip to Morocco the following day. My mind was busy as I boarded the busy rush hour train.
I passed a few stops, continuing to plot out the next day’s early morning checkout and flights. I noticed how overloaded the train was getting. I needed to remember to change some money at the airport. Just a few more stops now. I needed to send post… Is that a hand in my pocket?
Time slowed to a crawl and the roar of the rush hour train came to a hush. My wallet was gone. It had some money, a credit card and a copy of my passport in it. And the doors were closing. Was that the thief escaping? I needed to make a decision and fast. So I did what any security professional would do.
By the time I knew what was happening it was over. I rocked my best Walter Payton 45-Right to get off the train before the doors closed, pulling several likely innocent bystanders with me. But despite my seemingly heroic effort, the perpetrator was long gone by the time I got to the platform. I frantically challenged every pedestrian in the station that looked suspicious. They all looked suspicious. And I looked crazy.
How could this have happened?
- I lost situational awareness – Even though I had lived in New York City and I was a security-minded person, I was out of it on that train. It had been an exhausting week and I had less than 12 hours before I was escaping to paradise. My mind was somewhere else. While I was mentally reviewing departure times and sorting out logistics, an attacker was fingerprinting me.
- I was poorly defended – I was alone. It was the end of my trip and all of my laundry was dirty, so I was wearing baggy khakis with loose pockets. I was standing on a tightly packed train, hands above my head to keep from falling on some indigenous woman. I might have well been wearing a sign that said “defenseless tourist”.
- I became a low-hanging olive – I looked out of place. I was tired. I was in the wrong place at the wrong time. I became the low-hanging fruit and I got picked.
And here’s some advice – if you ever find yourself pickpocketed in Tunisia, save yourself the time and anguish of reporting it to La Police. These are the same people who beat their own citizens with blackjacks.
Your adversaries can strike at any time. The good ones will find your weaknesses and exploit them. Your business may not require the same defenses as the Pentagon, but whatever defenses you have should be up at all times.
Sometimes the best lessons are those hardest learned.
And now the olives in my life usually end up on a salad.
It has become a common occurrence to hear about companies, governments and individuals being compromised by hackers.
Thanks to Anonymous, “the Chinese” and a bunch of kids from a country no one can pronounce, security has become a household word.
Seemingly overnight, information security has moved from a cottage industry to one that finds its sordid tales on the cover of every major periodical and leading every major newscast. It’s no secret that this condition exists because our adversaries have been and continue to be successful, to the tune of billions of dollars in intellectual property, bank accounts and defaced reputations.
Things have gotten sideways.
Many continue to ask why this situation persists, or from some perspectives, worsens. The answer is simply Newtonian – An object that is in motion will not change its velocity unless an unbalanced force acts upon it.
It’s time for an unbalanced force.
The US Military has developed tactics for when things get really sideways. For those life-or-death situations when you’re injured, surrounded by enemies and cut off from your support network. These tactics are called Escape and Evasion, and their applications aren’t limited to military survival.
As you read this, your critical assets sit unprotected. Not because you haven’t deployed firewalls, access controls and network segmentation, but because when those security controls are compromised (and they will be) those critical assets will be unable to protect themselves. They are inherently vulnerable, which is why they need compensating controls.
Enter Cyber Escape and Evasion.
For decades security professionals have been hardening perimeters, blacklisting bad actors and “locking things down”. These practices emerged when cyberwarfare was symmetric, when adversaries were [better] known and when cyberassets were few[er]. Sadly, these practices remain the foundation for many organizations, despite dramatic changes in attacks and attackers.
There are, however, some new concepts emerging regarding the protection of critical assets.
Imagine that your confidential data was camouflaged such that an unauthorized intruder couldn’t tell the data from the container. Imagine that your sensitive information assets were stored so randomly that hackers couldn’t make sense of them, even if they were discovered. Imagine that you deployed information decoys in such a way that it was difficult or massively time-consuming to tell which was the real source. Imagine that your sensitive data, once removed from its authorized container, could poison itself, much like the ink canister that is thrown into a bag of stolen cash.
What if the next time you were attacked, you could flood your attacker with false-positives and false-negatives, effectively disabling their ability penetrate your network?
These are just a few of the security tactics that are starting to get real attention. Each of these concepts moves security controls closer to the asset and emphasizes intelligence over building walls.
If you trust statistics, an intruder has already compromised the networks of 1 out of every 10 people reading this blog post. 6 more of those 10 will be hit sometime later this year. A recent study showed that most security professionals expected their security program to fail when it was truly tested.
I’ll save you the angst of asking the same question.
If there was ever time to inventory your assets, pack a “go” bag and assess your capabilities, it’s now. Things have gotten sideways and your firewall can’t save you. Your critical assets are either going to keep calm, signal the rescue chopper and be exfiltrated by their Security Officer, or their going to apply a tourniquet and die quietly as they’re dragged off to a POW camp.
What are your orders, sir?