Daily Archives: April 4, 2019

Six Stages of Penetration Testing

Through penetration testing, you can proactively identify the most exploitable security weaknesses before someone else does. However, there’s a lot more to it than the actual act of infiltration. Pen testing is a thorough, well thought out project that consists of several phases. Read on to learn about what it takes to complete a successful pen test.

Planning and Preparation

Many old adages proclaim the import of preparation, and when it comes to penetration testing, planning is indeed the key to success. There are multiple ways to approach a pen test and figuring out your goals and scoping accordingly is key to ensuring that you’re going to get the most out of the process. Consider these questions to ensure your expectations are aligned with the testers and you get the information you’re looking for.

  • Do you want an external test, which simulates an attack from an outside individual or organization, or an internal test, which simulates an attack from an insider, or an attacker that has a foothold within the organization?
  • Would you prefer your security team to know a pen test is about to be performed, or would you rather it be performed covertly to identify their effectiveness in detecting the activity?
  • How much information do you want to share with the pen testers beforehand?
  • How aggressive are the pen testers allowed to be?

 

Discovery

Once the scope has been established, pen testing teams can get to work. In this discovery phase, teams perform different types of reconnaissance on their target. On the technical side, information like IP addresses can help determine information about firewalls and other connections. On the personal side, data as simple as names, job titles, and email addresses can hold great value. Attackers can use this data to send phishing emails or figure out who may have privileged credentials, with which they can get full access to the environment.
Additionally, before exploiting a system, pen testing teams must look for weaknesses within the environment. Often referred to as footprinting, this phase of discovery involves gathering as much information about the target systems, networks, and their owners as possible without attempting to penetrate them. An automated scan is one technique that can be used to search for vulnerabilities that can be used as a doorway.

Penetration Attempt and Exploitation

Now informed about their target, pen testers can begin using these newly discovered entry points, testing all of the weaknesses they discovered. They will attempt to enter the target through these identified entry points.
But pen testers will do far more than just attempt to gain access. Once inside a compromised system, they will try to elevate their access privileges within the environment, allowing them to take any number of additional actions. Gaining administrative privileges enables pen testers to identify security weaknesses in other areas and resources, like poor configuration, unguarded access to sensitive data, or ineffective management of accounts and passwords.   
Additionally, multiple types of assets can be tested. In addition to the on-premise network infrastructure and workstations you’d expect could be vulnerable to attack, mobile devices, web applications, and even IoT devices like security cameras, can also be put to the test.

Analysis and Reporting

Pen testers should carefully track everything they do during the discovery and exploitation process.  From there, they can create a report that includes all of these details, highlighting what was used to successfully penetrate the system, what security weaknesses were found, and any other pertinent information discovered.
These reports should also include analysis to help map out next steps once the test has concluded. Pen testing teams can help determine the highest priority items that an organization should take care of as soon as possible, as well as suggestions for remediation methods.

Clean Up and Remediation

Just as with a real attack, pen testers can leave “footprints.” It’s critical to go back through systems and remove any artifacts used during the test, since they could be leveraged in the future by someone with nefarious intentions. Once this is completed, an organization can go about the business of fixing the security weaknesses discovered and prioritized during the testing phase. This may include putting compensating controls in place to protect weaknesses that cannot be easily remediated, or even investing in new solutions that can streamline security and improve efficiency.

Retest

Penetration tests can and should be utilized frequently, especially when new applications or infrastructure are being deployed. Even if your organization believes they resolved every weakness listed in a previous report, the best way to ensure your remediations are effective is to test again. Additionally, IT environments, and the methods used to attack them, are constantly evolving, so it is to be expected that new weaknesses will emerge.

With so many breaches dominating the news, it’s more critical than ever to reduce the chance that an incident could put your organization’s reputation and trustworthiness at stake. Organizations should do everything they can to understand and avoid behaviors that put them at risk. Pen testing is an essential part of a risk assessment strategy and helps ensure that your organization is reducing the chance of a damaging breach occurring within your environment.

Read our guide to learn how you can get smarter about penetration testing.

Penetration testing
Big text: 
Blog
Resource type: 
Blogs

Teaching Old Malware New Tricks: How the Latest Mirai Variant Targets New Devices

Though initially created to give players of the game Minecraft an advantage, the Mirai malware strain has since been responsible for a number of notable distributed denial of service (DDoS) attacks, including the one suffered by DNS provider Dyn, which resulted in outages for numerous Internet platforms. Before its creators were caught and prosecuted, they posted the source code online, allowing Mirai to take on a life of its own. Mirai has now reemerged, enhanced and ready to cause more damage. Read on to learn how Mirai works, what its newest features are, and how you can protect your organization from this destructive malware strain.


What is a Botnet?

Mirai operates by breaching Linux devices and creating botnets. This type of malware operates by having its original home device, known as a bot herder or bot master, infect and remotely controlling any kind of device – from a smart phone to a security camera. Using this command-and-control technique (C&C or C2), it can instruct the breached device to run a bot, which is a software application that runs automated scripts to perform tasks over the Internet. Once the bot herder has taken control of multiple devices, often numbering into the hundreds or thousands, it uses this cluster of bots, known as a botnet, to run more sophisticated, malicious tasks.

Most commonly, botnets are used in DDoS attacks, like the Dyn incident mentioned above. With so many bots under their control, an attacker can have all of them send requests to a targeted system, flooding it with traffic, blocking out any legitimate requests. Eventually, this influx of traffic will overwhelm a system, causing it to crash.

 
Brand New Enterprise Exploits

Mirai resurfaced a few times since its initial foray onto the scene. Since the code is now freely available, changes can be made at the whim of any malicious actor. For example, in early 2018, one successor used its botnet to steal cryptocurrency from computers dedicated to cryptocurrency mining.

Now Mirai has rematerialized once more, with this variant updated to target eleven additional devices. A few of these exploits, like the WePresent Wireless Presentations and LG Supersign TVs, are devices intended for use by enterprise organizations. This pivot into business class devices should put businesses on their guard, since it gives attackers a window into organizational networks for additional exploitation. Additionally, it shows a pivot towards loftier end goals, since devices connected to these enterprise networks give threat actors even more bandwidth to use in their botnet attacks.


Same Old Mirai Infrastructure

Mirai isn’t a particularly complex piece of malware – which is dangerous in its own right, as it gives far more people opportunities to use it. Ultimately, its success lies in its exploitation on the weak security that plagues most IoT devices.

Mirai’s bot master directs its controlled devices to continuously scan the Internet in search of IP addresses for IoT devices. From there, it uses a list of default usernames and passwords to attain administrative access of the device. Given Mirai’s numerous successful attacks, there are a worrisomely large number of devices that still have these credentials in place.

This strategy would be far less frequently successful on traditional workstations and servers within an organization. First, they are far more likely to have policies in place requiring frequent password changes, multi-factor authentication, or even identity and access management solutions to ensure that administrative access isn’t so easily acquired.

Moreover, most antivirus solutions for workstations or servers would be able to spot these simplistic breach attempts and stop them in their tracks. Unfortunately, nearly all IoT devices still lack antivirus solutions, making them a prime target for techniques that are no longer as common on workstations or network servers.

Finally, IoT devices are ideal because most of them are constantly connected to the internet and are owned or operated by users who are unaware of the security risks that these devices can pose.


Fighting Command and Control with Advanced Threat Detection

In addition to having ideal targets in IoT devices, botnets like Mirai are also particularly difficult to detect and remove because aside from causing a system to become sluggish at times, they don’t really do anything to make their presence known.

With this latest iteration of Mirai, along with a number of other botnets currently being deployed, threatening enterprise IoT devices, how can an organization be sure that their devices aren’t currently under the control of a bot master? Advanced threat detection solutions like Core Network Insight constantly monitor network traffic for threat behavior and activities, detecting anomalous behavior in real time and with certainty by providing definitive evidence of infections, regardless of device type. This allows security teams to take immediate action to clear bots from the system.

While this variant is new, Mirai’s structure of C&C communication techniques remain the same. Core Network Insight detects based on this type of communication, so no matter the variant, Network Insight will still be able to accurately uncover it. Network Insight is also agentless, as well as OS and platform agnostic, so no matter how many different device types are targeted, botnets like Mirai cannot evade detection.

To get more information on the only mature, purpose built active threat detection solution on the market, or  a personalized demonstration from one of our experts, contact us today.

Network Insight
Big text: 
Blog
Resource type: 
Blogs

3 Factors to Consider When Securing Big Data

Big data is the new toy in town—a technological commodity that is driving development, but is also a major point of contention between companies, users, and governing entities. But despite the name big data, it is often in the possession of small businesses, who have not taken the appropriate measures to secure this data.  When such large amounts of information are on the line, a breach of this data can be extremely detrimental.

With continual scandals being aired concerning poor privacy protections, it is even more important for your data to be protected. Consider these three things when securing big data: your specific configurations, what access you give out, and how to monitor your data.

1.  Configurations 

It was June of last year that the Exactis leak was revealed. Exactis, a Floridian marketing data broker, had a misconfigured Amazon ElasticSearch server that exposed close to 340 million records on both American adults and businesses. This included incredibly specific details such as pets, gender of children, and smoking habits. This leak has crippled Exactis; there is little chance that Exactis will bounce back from this event.  Beyond the effect that this leak has had on the business, Exactis CEO, Steve Hardigree, has also been open about the stream of inquiries, threats, and constant stress this has had on his personal life.

The root of this crippling leak lies in a misconfiguration and shows us just how configurations can make or break your business.  When you are planning out your big data space, you need to double, and triple check your configurations.

Tips for Checking your Configurations:

  • Security is a multi-layered beast and your data is unique, which in turn means that your approach to security must be customized. This could mean using security software in an unconventional manner or utilizing a third-party security company.
  • Think of the little things. Do you trust all of the programming interacting with your data? If not, how can you make it a trusted resource?
  • Consider getting a third-party Network Security & Architecture Review of your environment. This allows you to have an outside opinion of exactly how secure your data is. If possible, it is beneficial to get this review at least annually.

2.  Access Granted

As you are deciding on configurations, you need to take into account who will be granted access and to what.

If the data is meant to stay completely internal, you need to decide what kinds of users are allowed what permissions. For example, who is allowed to pull data? Is anyone? If it’s not a part of the daily workload, under what circumstances is it allowed? By who?

If you are going to share your data with third parties, there is another host of questions to consider.  Do you allow them unlimited access to your data? Who do you allow access to?

Tips for Granting Internal & External Access:

  • Limit the amount of external access you allow; if possible, do not allow it at all. This will lessen your attack surface and your inherent risk.
  • External resources likely don’t need to access everything your internal resources can. Restrictive groups are a great organizational way to separate who has access to what within your environment.
  • Not all internal resources are equal and therefore should not be given the same access. You will need to evaluate how you give out access and document your process of escalating and deescalating access.

As it has become evident with Facebook’s admittance of leaving data connections open even after deals had been closed, it is also important to think about what happens when access has been revoked. What are you going to put in place to prevent access when it should no longer be allowed?

Take the access you grant seriously so you don’t end up scrambling to make changes after an incident.

3.  Monitoring & Alerting

For everything that can be done to your data, there should be a way for you to monitor it. That is not to say that you have to micro-manage every aspect of your big data. But if an incident were to occur, or more realistically when an incident occurs, you should be able to construct an image of what was going on at the time of the event. For this to be possible, you need a way to monitor your data and receive alerts on the incidents.

Tips for Monitoring & Alerting:

  • Adversaries do not keep normal business hours, so be sure you are monitoring your data at all hours. One way to easily achieve 24/7/365 monitoring is by outsourcing this function to a Managed Security Services Provider (MSSP).
  • When setting up alerts, it can be challenging to find a balance between “alert on every single possible event” and “I only want to see important alerts”. What if an uptick on those seemingly harmless alerts is the only tip-off to an insider threat? And on the other hand, if you are constantly on edge from alerts, you will easily fall into alert fatigue. An MSSP can act as the filter between you and your alerts, only notifying you after an alert is investigated and confirmed to be legitimate.

When you are in possession of big data, there is a lot on the line to secure.  When a breach of this magnitude can destroy your business, it’s critical you take into consideration these factors.

The post 3 Factors to Consider When Securing Big Data appeared first on GRA Quantum.