Penetration Testing | Want good results? Focus on commendable practices

A common refrain heard from members of LMG Security’s penetration testing team is:

“Why are commendable practices so hard to come up with?”

As a rule, we include two or three “commendable practices” in the Executive Summary of each of our reports. Sometimes identifying them can be a daunting task.

As penetration testers, our focus is to identify and exploit IT security weaknesses that will lead to the compromise of a target organization’s systems and/or networks. From the start of each engagement we are attuned to uncovering those weaknesses, and depending on how the engagement is scoped, time is usually in short supply. Often the penetration tester is up to their nose in vulnerabilities and system weaknesses that must be explored. It may not be till the last day of an engagement that the attention turns to identifying the commendable practices that have been uncovered along the way. Usually this is because the tester has been busy exploiting vulnerabilities, and gaining privileged access on the target organization’s systems. From this position, commendable practices appear in short supply.

It is not to say that commendable things are not being done out there. Truth is, they are. However, they are few and far between. If a tester finds that all their exploitation plans, and attacks are thwarted from the start of an engagement – identifying the commendable practices is as easy as listing the obstacles encountered.

So, what does this mean? I’ve come up with three main reasons why commendable practices can be so difficult to identify:

1. Ignorance
2. Resources
3. Convenience

Let’s look at each in more detail.

Ignorance: The target organization is not aware of their IT security posture, lacks knowledge of their weaknesses, and to date have not focused on prioritizing positive steps that can be taken to improve. In these instances, it’s not uncommon for LMG to use the following commendable practice: “Company X is taking a proactive approach to cyber security by having a penetration test conducted to better understand their security posture.”

Resources: The target organization’s technical staff are aware of the security weaknesses, and often have identified what needs to be done to remediate them, and presented this information to management. However, money has not been budgeted for these efforts. In these instances, upper management usually does not yet understand the true business risks the technical vulnerabilities present, and the financial implications of the risks, even though they were made aware of their existence. An example of the type of thing we hear from technical staff is: “We informed management that we need to stop supporting that protocol, but we run legacy software that requires it, and the replacement is spendy, so they’ve been putting off replacement.”

Convenience: The target organization is aware of the weaknesses, but technical staff have been unsuccessful selling them on their remediation due to concerns of convenience, often related to speed. In these cases, ignorance is commonly a component. An example would be hesitance to make changes based on concerns like “What if that slows down the network?” Or even more commonly: “We’ve been telling them we need to change the password policy to include greater length and complexity requirements, but no one wants to memorize a 14-character password.”

When any of these three reasons, or some combination of them all, are at play in a target organization, it becomes clear rather quickly that establishing commendable practices will be a challenge. It also becomes apparent that compromising their systems and networks will not be very difficult.

Counter to this is the reality that if none of these reasons are at play, then the commendable practices will be so obvious and numerous that in many respects they will write themselves. That is, from the start of the engagement the results of the commendable practices will be obvious due to the difficulty in exploiting vulnerabilities, and compromising systems and networks. With each failed exploitation attempt, a corresponding commendable practice is usually present.

Takeaways:

1. The fact our penetration testing team regularly finds it difficult to come up with commendable practices for the target organizations we test indicates something troubling about the cyber-security landscape. In short, there are a lot of vulnerable systems out in the wild that are not getting the security attention they require, making life easier than it should be for malicious actors and security testers to exploit them.
2. The overarching requirement for overcoming the three main reasons why coming up with commendable practices is difficult (i.e., ignorance, resources, and convenience), is management commitment to IT security. If this commitment doesn’t exist at the management level, it is not going to exist within the technical teams, and amongst staff in general. If not there, it will not be a part of the technical controls on systems and networks, either.
3. Good penetration test results correlate with lots of commendable practices, which correlates with strong IT security management. Poor penetration test results correlate with few commendable practices, which correlates with weak IT security management.

This is consistent with IT security frameworks like the National Institute of Standards and Technology (NIST), and compliance standards like the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS). Each emphasizes the importance of management, alongside established technical controls, in creating hardened cyber-security environments. This further highlights the importance of management involvement in realizing IT security goals.

If you want to make it hard for your next penetration tester to come up with commendable practices for your organization, leave IT security up to your technical staff. But be forewarned, this is not just stuff for the nerds to figure out. If you’d prefer to make it hard for your next penetration tester to compromise your systems and networks — but easy to come up with commendable practices – require management to be intimately involved in your IT security development.

Examples of top “Commendable Practices”:

• Network Access Control (NAC) was implemented on the internal network and was configured with strong policy enforcement. Attempts to evade the NAC were not successful.
• Systems were not left in their default configuration, and all default accounts were disabled.
• Strong domain account policies – the combination of a strong password complexity policy and an account lockout policy prevented brute-force password guessing attacks against active domain accounts.
• Multifactor authentication was implemented for all domain-joined workstations and servers.
• Properly configured user permissions – users were given appropriate system and domain level permissions. Employees were given permissions that did not provide unneeded administrative access on the network.
• Effective monitoring and alerting process — all actions taken by LMG were effectively monitored and could have been stopped at any point in time.
• SMB signing required – LMG found that SMB signing was required and enforced on every assessed Windows and SAMBA server on the network. This prevented LMG from conducting successful SMB relay attacks.
• Patch management – systems were found with up-to-date manufacturer recommended patches.