Top Cybersecurity Control for Q4 2023: Penetration Testing

“So, people hire you to break into their places… to make sure no one can break into their places?” a secretary asks a professional penetration tester in the classic movie Sneakers. Since then, penetration testing has grown into a fundamental component of healthy cybersecurity programs everywhere. External and internal penetration tests are critical for finding weaknesses in your technology infrastructure. This is especially important today, when zero-day exploits are an epidemic. As a result, penetration testing has emerged as our top control method for Q4 2023. You can also refer to our full list of 2023 Top Security Controls, and stay tuned for our upcoming 2024 list! This blog explores why external and internal penetration testing is vital and delves into two real-world case studies which show how pentesters find issues that are invisible to automated vulnerability scanners.

The Rise of Penetration Testing as a Top Cybersecurity Control

Penetration testing, often referred to as pen testing, involves simulating cyberattacks on a computer system, network, or web application to identify vulnerabilities and weaknesses that could be exploited by attackers. The adoption of penetration testing as a primary control mechanism reflects a strategic shift towards proactive security measures. Unlike traditional defensive tactics, penetration testing actively seeks out weaknesses in both external and internal systems before they can be exploited by malicious actors.

When conducting a penetration test, it’s important to carefully consider what systems you want to include. The two most common types of penetration testing are external and internal. External penetration testing targets an organization’s external-facing infrastructure, such as websites, servers, and network devices, to identify vulnerabilities that could be exploited from the outside. Internal penetration testing, on the other hand, simulates attacks from within the organization. This is crucial because it addresses the threat posed by insiders, whether malicious or accidental, and also assesses the potential damage from external attacks that have breached the perimeter defenses.

The Benefits of Regular Penetration Testing

Why did we name penetration testing as our top control for Q4 of this year? Here are the top three reasons:

1. Risk Detection and Mitigation: Penetration testing provides a real-world picture of how an attacker could actually breach systems and helps uncover vulnerabilities and weaknesses before exploitation. It helps you reduce risk and often reduces the damage if you do experience a data breach. Let’s look at the data. According to Coalition Insurance, organizations with even one unresolved critical vulnerability were 33% more likely to file a cybersecurity claim. In addition, IBM’s Cost of a Data Breach Report finds “Organizations with more proactive and risk-based vulnerability management, such as vulnerability testing, penetration testing or red teaming, experienced lower than average data breach costs.” In addition to being an industry best practice, external and internal penetration testing is now a requirement for some cyber insurance policies.
2. Compliance and Trust: Regular penetration testing helps organizations comply with industry standards and builds customer trust. An increasing number of organizations contractually require vendors to meet minimum cybersecurity standards to help reduce supply chain data breach risks (read our blog on supply chain security best practices for more information). According to the Identity Theft Resource Center, there were 40% more supply chain security attacks than malware attacks last year. Annual penetration testing provides powerful, quantifiable proof to assure your customers that your organization is working hard to proactively reduce your cybersecurity risks.
3. Prioritize Cybersecurity Investments: Penetration testing can help defenders identify top priorities and demonstrate to management why investing in those specific areas is important. Let’s dive into some case studies to illustrate how external and internal penetration testing helps organizations enhance their security posture and prioritize cybersecurity project planning.

Case Study #1: Stealing Credit Card Numbers

LMG’s team conducted an external penetration test for a client that ran an ecommerce platform. The web site was custom-built, using two technologies: PHP and Java. A vulnerability scan detected no major issues. However, our experienced penetration testers manually explored the site and found a vulnerability which enabled us to download any file on the server. This seemingly simple issue opened the floodgates for a massive problem: our ethical hackers fetched configuration files, which had passwords stored in them. Using these passwords, we were able to log in to an external-facing system which stored all customer transactions and data.

A hacker could have stolen thousands of credit card numbers. They could also have downloaded every customer purchase, obtained all of the personally identifiable data for every customer, and could even have run their own bogus transactions.

A vulnerability scanner would not have found this issue. While vulnerability scanners are very good with known web applications, they often miss issues in custom-written software or even just niche applications. It took an experienced person, who is trained to think like a hacker, to detect the issue.

Case Study #2: An IoT Device Leads to Full Network Takeover

All too often, hackers quickly gain a foothold inside your network. They attackers may send a phishing email to an employee and infect a workstation or laptop. In other cases, an employee may turn out to be an inside attacker. Whatever the case, it’s important to be prepared for the situations where attackers have access to a system on the inside.

In one internal penetration test of a financial institution, LMG’s team scanned the network and found an uninterruptable power supply (UPS). These common systems are designed to provide power to your environment for a short period of time in the event of a sudden loss of power.

The UPS had a web login form that enabled staff to administer the device. LMG’s team tried to log in with the manufacturer’s default credentials and found, as is often the case, that they worked.

A vulnerability scanner, had it detected the default cred, would have stopped there. This would have been considered a fairly low-risk issue. However, for hackers, it opened the door to a full network takeover.

“On almost every internal penetration test, we chain together multiple low- or medium- risk vulnerabilities to create a critical attack path on an organization’s network,” said Tom Pohl, LMG’s Penetration Testing Team Manager. “Automated scanning tools aren’t good enough to piece those together. We help put into context what a vulnerability actually means in the context of how it can be exploited.”

Once LMG’s team logged in with default credentials, we had access to the UPS device’s administrative interface. We saw that it was configured to log in to Office365 and send email. This is common because the UPS can send email alerts to staff if it detects problems (for example, a loss of power).

That meant there was a username and password stored in the device! Our pentest team knew hackers would be searching for these credentials. How did we get them?

Since we had the ability to reconfigure the UPS device, we quickly changed the server from Office365 to OUR servers, and we also unchecked the box that required encryption. Then, we triggered a test alert. When the UPS sent an email, it attempted to log in to OUR server. That meant it sent US the cleartext username and password. It was that easy.

Using our newly stolen credentials, we logged into the local domain controller. This was a low-level user account, nothing special—which is exactly what we wanted. From here, we explored the local services and found a service that was misconfigured. We were able to leverage this and trick another computer into thinking that WE were the domain controller—one of the core servers that run your organization’s network. We told the other computer we wanted to synchronize the password database. It gave us all the passwords for all users on the network.

All of the passwords were encrypted, but were able to crack more than 80% of the passwords in about 2 hours (for context, read our eye-opening blog on how quickly different passwords can be cracked). This included domain administrator passwords, which we could use to log in to any system in the domain, access all data, or create new administrator accounts. We could also login to Office365 and access any cloud files we wanted.  Game over.

Identifying a vulnerability independently in a vulnerability scan provides valuable information, but it doesn’t paint the full picture that shows how an attacker would chain them together to breach your environment. A penetration test, on the other hand, illustrates the true risk and helps your team prioritize vulnerabilities according to their actual risk for a data breach.

How To Conduct a Penetration Test

For organizations looking to implement penetration testing, here are some key steps:

1. Define the Scope: Clearly define what needs to be tested—be it networks, applications, or both.
2. Choose the Right Methodology: Select a testing methodology that aligns with your organization’s needs.
3. Engage Qualified Testers: Employ experienced testers who can simulate sophisticated cyberattacks.
4. Review and Act on Findings: Carefully review the test results and promptly act on the findings to enhance security.
5. Regular Testing: Regularly schedule both external and internal penetration tests to keep up with evolving threats.

For more detailed information, read our blog on best practices for planning your annual penetration test.

The Need for External and Internal Penetration Testing

In an era where cyber threats are constantly evolving, staying ahead of potential vulnerabilities and weaknesses is crucial. Penetration testing offers an invaluable tool in your cybersecurity arsenal, ensuring organizations are well-prepared to face and thwart potential cyberattacks. For this reason, it has been recognized as our top cybersecurity control of Q4 2023. By incorporating both external and internal penetration testing into your cybersecurity strategy, you can significantly enhance your security posture, safeguard sensitive data, and build a resilient and trustworthy digital environment.