What Do You Gain by Performing a Penetration Test?

As we continue to rely on technology in our everyday lives we must remember this interconnectivity comes with a price.  The ability to access devices remotely over the Internet has created a new world of ease and freedom, which can be manipulated by malicious actors.  If a device is exposed on the Internet it has the possibility of being compromised.  Organizations can’t help but exposing some services over the Internet, items such as VPNs, SFTPs, HTTP Logins, Emails, APIs and etc. will require exposure to the Internet.   Items such as these often become the target of a hacker.  Hackers will scan the Internet looking for specific known ports containing exposed running services, which can be exploitable. Hackers will eventually find the services you’re hiding and will test your defenses.  How will your perimeter defenses hold up against any possible attacks?

Organizations can take steps to protect themselves against hackers and make their environment unappetizing for any attacker. Testing systems through vulnerability scanning is now a common practice which companies utilize to gain meaningful incite regarding both their internal and external postures.   These vulnerability scans are high-level automated scans that provide information regarding the versioning of systems, identifying exposed services and determining the associated risk of those findings. A vulnerability scan can help an organization determine if their configurations are following best practices and if system patching is occurring regularly. New vulnerabilities are discovered every day and once a discovery is reported a specific software or hardware vendor must scramble to remediate the issue through a patch and push those patches out to its clients. If a patch is not applied and the vulnerability exists it creates a possible vector for a hacker to pinpoint. This is where the difference between a vulnerability scan and Penetration test begin to diverge.

A Penetration test can utilize information obtained from vulnerability scans and additionally probing with the goal of discovering possible exploits. After vulnerabilities are discovered a hacker will plan and begin executing different exploits against those detected vulnerabilities.  A Penetration test will provide the organization with a live assessment of real-world techniques to obtain unauthorized access into your network.

During a Penetration test, an ethical hacker will review and plan a course of action to perform exploits and test different perimeter defenses.  Additional tactics such as social engineering to obtain user access are also common practices, which can be included in a Penetration Test.  Often an attacker will spray an organization with fraudulent emails attempting to either inject malware into the company network or trick the user into entering the network credentials into a malicious site, which are sent directly to the attacker. According to the Verizon Data Breach Investigations Report 2017 90% of all incidences and breaches included a phishing element. [i]

Once a hacker has obtained a user’s credentials the next step will be to access the network and pivot. Once access is obtained the hacker will attempt to pivot access to different systems along with obtaining administrator-level credentials for further access into the network.  If administrator credentials are obtained an attacker can create several different backdoors back into the organization, which can be extremely difficult to detect.

The type of Penetration test required will need to be decided by each organization. There are different types of Penetration testing, which include, web application testing, internal testing (simulated insider threat) and external testing.  Web application Penetration testing will test an application for weakness in several different ways. An internal Penetration test could simulate an insider threat.  This attack could originate from a remote user’s credentials being compromised and provide VPN access to a hacker. In this scenario, the attacker has access to the internal network but must bypass any internal controls to access sensitive systems.   And the last type of attack is an external attack, which is the most common. This type of attack is simulating a hacker with no knowledge of your infrastructure and attacking only the external addresses provided for testing attempting to breach the internal network.

Ethical hackers will simulate as close as possible what is a real-life attack scenario. Utilizing Penetration testing will only strengthen your organization’s security posture. The findings from a Penetration test can provide valuable incite for an IT or InfoSec department to add additional risk levels to correctable items or create new additional risk for unrealized discoveries. As interoperability continues to grow the risk of the Healthcare space attracting more hackers will only continue. While companies grapple with difficult issues such as managing 3rd party access and tracking, the prevalence of remote access workers and the constant threat of human error it will only increase the probability of creating vulnerabilities that a hacker can and will eventually exploit.  It’s important to stay a step ahead of all the scary things, which lurk on the Internet.

Organizations must face the reality that hackers are out there searching for their next victim. In 2019, the publication Recorded Future reported on the 100th publicly reported state or local government hit with a ransomware attack.[ii] These types of numbers are alarming and should motivate every organization to bolster its Information Security budgets not only for better defenses but security awareness training.


[i] https://www.phishingbox.com/downloads/Verizon-Data-Breach-Investigations-Report-DBIR-2017.pdf

[ii] https://www.recordedfuture.com/state-local-government-ransomware-attacks-2019/

Jawn of the Month

For the last Jawn of the Month for 2019, I have to go with Disconnect. Disconnect is an impressive ad and tracker blocker. Disconnect is installed through browser extension for all the popular flavors of web browsers. Disconnect also has a pretty cool paid mobile application which can provide some insight into what processes are running on your phone.

Our data is now extremely profitable to organizations. You can make it more difficult for any company to track you by using a few different tools to block their activity. Using tools like Disconnect, and the Brave Browser can go a long way to block some tracking services. Tools such as PI Holes and other firewall settings can block further tracking services by changing the DNS server or blocking known tracking addresses.

Unfortunately for us some trackers can still bypass blocking the trackers in the web browser and through DNS. To avoid these trackers deeper steps must be taken such as utilizing a VPN to mask the true origin of your connection. Smarter trackers can track a user’s activity based on the device’s external IP address. This is possible even with cell phones as the UID or Mac address can be used to link a single device to multiple IP addresses considering it wouldn’t be common for a mobile device to keep a static IP address.

Using tools like Disconnect may not make you completely invisible to advertisers but it certainly can reduce the information they’ve obtained about you.

https://disconnect.me/

Jawn of the Month

I’ve been extremely busy at work and haven’t had time to do much writing.

So without further delay, the jawn of the month is…

The Brave Browser…

I downloaded it months ago for the free airdrop of coins. I recently faced an issue with my recent browser of choice Firefox and switched over to Brave. I was able to import everything and set up my password manager and haven’t skipped a beat. Additionally, it has more built-in security capabilities while using much fewer system resources. And you also can earn BAT a digital currency used for tipping content providers by simply viewing some occasional adds.

It’s a cool product and it serves a purpose but keeps security at the core of its principles.

https://brave.com/

Jawn of the Month October

The Jawn of the Month for October 2019 is Wazuh.

Wazuh is an open-source security platform that can work within enterprise environments.

Wazuh can help organizations utilize compliance required tools such as monitoring, threat detection, file integrity monitoring and intrusion detection. Normally these tools cost exuberant amounts of money for off the shelf products. This tool has the capability but will require installation, implementation and maintenance performed by your IT team. If you have the technical capability it is a no brainer to look for open-source tools.

This jawn is cool and it is free!

An Assessors thoughts on Split Tunneling

Today’s modern networks require flexibility to allow workers to work from multiple locations.  One of the most common methods to achieve remote network access is a Virtual Private Network (VPN).  VPNs can come in all shapes and sizes, from hosted, to on premises, to in the cloud, and can be built to fit all needs.  However one topic that is often over looked is the topic of whether or not to allow VPN users to utilize split tunneling. Webopedia defines a split tunneling as “The process of allowing a remote VPN user to access a public network, most commonly the Internet, at the same time that the user is allowed to access resources on the VPN.” The idea is a user has a tunnel to the corporate network to access any apps or shared drives through the VPN connection while still utilizing the local internet connection of the remote user for access to the web or local resources. 

A common question assessors are often asked is if split tunneling is allowed for remote VPN connections.  Whether or not to allow split tunneling will come down two things.  First does your organization have specific legal or compliance requirements surrounding network access?  Additionally, the trust of the party using the remote access VPN must also be considered.

If user-owned devices are accessing your network the risk is that those devices are not meeting the basic policy compliance of your organization and are creating a possible attack vector to enter your organization’s network. And now by allowing split tunneling, it creates a broader situation. If the user’s remote device is compliant it is still possible for the remote user to become infected by malware or a virus while connected to the split tunnel VPN. An infection could spread from the remote users device across the VPN connection. 

In terms of security, the biggest risk of enabling split tunneling is the loss of a defense in depth strategy. By enabling split tunneling you now have an open connection to your network which can send/receive traffic which does not pass through your organization’s perimeter security devices such as a firewall, IPS or IDS. This will create a situation where your organization cannot monitor web traffic on the remote device through the VPN connection.

In addition, utilizing a split tunnel can increase the possibility to exfiltrate data out of the organization.  If any controls are in place to prevent copy and pasting of data these controls may now be ineffective because traffic is being sent outside of the organizations Data Loss Prevention system (DLP). Now it is certainly possible for this to occur with a full VPN tunnel however now the task of preventing that data loss becomes much more difficult with a split VPN tunnel.  

If the remote VPN user used a public Internet connection that user’s web traffic would not be encrypted. This can make that data not sent over the VPN susceptible to snooping if an unsecured protocol is in use. 

Protections to mitigate the risk of split tunneling should include first and foremost a valid BAA, which requires the third party to require security controls to verify the remote workstations are protected. Second, user training and a signed acceptable use policy should also be implemented. As far as the technical controls, a VPN agent, which can perform a health check and verify the device is compliant, should be implemented. This health check should verify that the operating system patches are installed, an anti-virus is installed, running and is updating regularly.

It is common practice to place a firewall in front of the VPN traffic however this firewall is generally not as robust as the perimeter firewall.  That firewall is the only protection for your network against malicious traffic traversing that VPN tunnel. If proper configuration of the VPN firewall is in place it will protect your network against any malicious VPN traffic but it is a single layer of defense.  As IT security is becoming more prominent it is common practice to implement multiple layers of defense in place to prevent a breech of data.  Disabling split tunneling for VPN access will help prevent some malicious traffic traveling over the VPN connection.

One of the most effective protections an organization can implement is strong network segmentation. Remote users should be limited to only access the systems that are required to perform their job functions. Restrictions should be in place to segment your network to prevent unlimited network access for remote users.  It is all too common that our security professionals see remote access VPNs that allow for complete unrestricted network access. Segmenting VPN connections to access only the required systems is paramount in creating a strong security posture. A Strong network-wide segmentation practice can be the deciding factor if a company will experience a minor breach or a massive breach.  

The benefits of split tunneling are based on needs. A split tunnel VPN will provide the remote user the fastest web browsing speed as now they can utilize the ISP they’re connected too instead of send that traffic through the business’s network.  From a network stand point, it will decrease the bandwidth in use for the VPN traffic as now only business functions will be sent over the VPN and other traffic will flow directly through the remote users ISP connection. A small benefit of a split VPN tunnel would be that now a remote worker could print to their local network printer while connected to the VPN.  This is a minor issue but it certainly is brought up a lot.           

The Hitrust CSF itself does have a requirement regarding split tunneling.  However, there is a specific requirement prohibiting split-tunnel VPNs but it’s not common in the Cyber Security Framework 9.2. This requirement is only applicable to larger organizations.  The decision to allow a split-tunnel VPN will come down to a few things.  One is there that legal or compliance requirement which must be satisfied?  Two does the reward of split tunnel VPNs outweigh the risk?  And third, do you have enough trust with the employees, contractors or vendors who may be utilizing that split-tunnel VPN.  Once an organization answers the three questions above they can make a determination if a split-tunnel VPN works for their organization.

Jawn of the Month

For July the Jawn of the month is……..

Discord

I’m no longer employed by an organization which utilizes Slack. I missed my group chats and I’ve been able to rediscover this lost fondness of group chatting. Discord if you haven’t used it is very cool and contains all of the options you’d like for a chat.

I’ve found that it contains tons of non gamer chat rooms for interesting topics. I had used IRC again briefly and quickly moved over to Discord.

@jerkyyy

Jawn of the Month

Phillips Hue Smart Color Lights….

I don’t care if you can hack them. Just watch the scene from Game of Thrones Season 8 episode 3 when Melisandre lights the trench with these jawns synced to the TV…..

Jawn of the Month June 2019 = Phillips Hue Smart Lights

More addicting then Cryptocurrency.

Advice for prospective Info Sec/Security careers

Let me preface this as saying I’m not an expert.  I have had the benefit of meeting some very smart key individuals who have helped me along the way.  I feel that because I received help in the form of advice and teachings that it is my responsibility to pass this knowledge down.    With that now being said let’s get started.

Before you make a decision on a career path in security know that there are different avenues of security, which are vastly different.  The different roles of security will require different skillsets and perform different tasks regularly.  This list will not entail every security positions available but I can list a few which areas. 

Information Security Consultant is a popular position and extremely common.  Info Sec Consultants will work with their organization or clients to achieve a strong position in regards to compliance.  An Info Sec position is a less technical position. Traditionally Info Sec members should have IT experience and understand the system their auditing.  However, today it is very common for Info Sec professionals to have little to no IT experience and learn the particular framework, which their clients or organizations are trying to strive to achieve.  These frameworks are usually based on NIST CSF or ISO 27001.  This position will spend a large majority of time working in Policy/Procedure documentation. Additionally, creating Policy/Process documentation or working with an organization to improve their documentation is something Info Sec individuals will do consistently. To succeed at this position you must have strong reading comprehension skills, excellent writing skills and an eye for detail.   Info Sec positions will vary with regards to the IT skills required but overall from my experience the Info Sec crowd is much different from the engineering team.   The InfoSec crowd will focus on creating/reviewing and updating the policies/procedure documentation for organizations.  Organizational policies/procedures will need to align and match the compliance/legal requirements of the specific regulatory compliance standards such as PCI, FISMA or HIPAA/Hitrust. The InfoSec team will also need to review implementations of the technical controls which will require advanced IT knowledge to truly assess the organizations security posture. 

To obtain employment in the field of Information Security it is important to have a strong background in advanced writing and reading comprehension.  I’d say a Bachelors degree is more important for a career in Information Security as having the experience of advanced writing will be extremely important.   I’d also suggest learning about the basics of networking, access control and other underlying IT infrastructure. I’ve met InfoSec professionals with little to no IT experience and there is absolutely a learning curve.  How can you review or assess policies or procedures regarding specific IT controls if you don’t fully grasp what the controls do? And even more important how can you assess IT controls if you have no knowledge of the systems being reviewed.  An InfoSec professional with little or no IT experience will need to lean on senior members to ask questions of the unknown.  The worst thing an inexperienced team member can do is make assumptions for technologies they don’t understand.

The Security Engineer is a different path for security professionals. As a Security Engineer you will need a strong technical background in IT.  As a Security engineer you will be expected to understand at a minimum the basics of networking, server administration, access controls, web services and secure communication protocols.   Additionally, skills such as programming, and report writing will be extremely helpful. Security Engineers will have a less predictable day to day as the tasks they face can be drastically different. A Security Engineer can review vulnerability scans or parse through logs of different equipment as examples of things performed regularly.   Security Engineering roles often have different responsibilities including implementing projects, automating tasks, responding to alerts/threats and working with the compliance folk. A security engineer will work to remediate, and increase the security posture of an organization.  As excitement goes the Security Engineer will face a different set of challenges, which can be exciting at times. 

To become a security engineer I’d suggest one of two routes.  The first route would be to obtain a computer science degree and have a strong foundation in programming.  Expect to be forced to learn IT and spend extra free time on learning how the infrastructure works.  The reverse is also true; my route to security came from working in IT.  Starting in IT and learning different aspects such as networking, servers, applications and access controls can lead to a promising security career. As any security engineer will tell you this job does not end once you’re off the clock. Security engineers who thrive in this business will tell you that spending your free time reading about new threats, and learning new skills will be a regularly occurrence.  IT/Security advances very quickly and it doesn’t take long to become obsolete. 

A career in Security can be extremely rewarding and profitable.  However, it can be extremely challenging and difficult which is why it is profitable. The Security industry requires constant self-study and continuing education. In Security you can truly advance as far as your capability and determination will take you.

Zero Trust Architecture and the Future of Networking

In today’s networks having a strong defense at the perimeter-points is not sufficient enough to keep your data safe. The IT landscape moves very quickly and so do the threats that we face. Strong networks will implement additional defenses to protect the internal boundary points.  These additionally defenses ideally will vary between the segments, which house varying sensitivity levels of data.  The Healthcare industry has been slowly adopting stricter network segmentation and role based access through out the entirety of its networks.  These additional defenses are absolutely worth implementing but we should not stop there.   Enter zero trust architecture, which follows the never trust, always verify model. Zero trust architecture does not assume that traffic contained within the same zone is safe.

John Kindervag developed the concept of Zero Trust in 2010. In January of the same year, Google announced that they were hacked by what was believed to be an Advanced Persistent Threat by the Chinese government. This led Google to look outside the box for a different approach to security. Eventually the company decided to implement Zero Trust architecture throughout their network.

Endpoint protection is one of the biggest obstacles in IT.  If your organization falls victim to a hacker odds are it was through a compromised endpoint.  In modern networks Intra-zone traffic (Lateral moving traffic) is the least restricted traffic. The idea of zero trust requires access to each host to require multiple authentication methods for access regardless of the users location.  A user located within the same network zone will be required to authenticate utilizing the same process as a user outside the network.   From experience my implementation of Zero Trust required a username/password, which can easily be integrated into an Active Directory or LDAP identity management system.  Additionally, Multi-Factor authentication must be enabled to a soft token authenticator or one-time password sent to a mobile device.  And the last step of authentication for a Zero Trust provider maybe a device certificate issued to the device.   This Zero Trust model authenticates the user, the device and the session.  The transmission of this information is always sent utilizing a secure SSL connection to ensure the data is sent/received securely.  

This process of authenticating and validating the device, session, and user creates an ideal security approach. An added benefit of the certificate issued to the device is that the console of the Zero Trust portal will contain an inventory of the devices with access, and details regarding specific access rights granted which can be a handy tool if any assessments are on the horizon.  While it’s difficult to call anything fool proof, this model creates extra layer of security that is needed in the current environment of cyber threats. 

The technology utilized by Zero Trust architecture is all technology that exists in the field, such as Multi-Factor Authentication, RSA certificates, and leveraging your current identity management system. The Zero Trust Architecture takes the idea of segmentation and goes to a micro level in which each host is segmented and secured individually. To visualize Zero Trust architecture in action, imagine a burglar breaking into a building only to discover a long hallway with locked steel doors throughout.

What does this mean for the future? As the medical field adapts and leans on the Internet of Things (IoT) for reporting medical metrics to hospitals from a patient’s wearable technology, the interoperability of these devices will rely on information sent and received over the Internet. With the increase of patients gaining access to medical devices outside of the hospital, look for the concept of Zero Trust to be the model these devices use. The next generation of medical devices will need to send information securely over the Internet and will need to be maintained, which will require frequent updates over the internet. Any device externally exposed to the Internet will face certain risk, but Zero Trust architecture will create a method for even the smaller devices to have a fighting chance at maintaining security. Technology for medical devices is advancing, so the security infrastructure must follow.   

As new principals in security are flourishing, some newer technologies are emerging parallel to Zero Trust. Software is quickly invading the networking space and Software Defined Networking (SDN) has been a driving force. SDN and Zero Trust will essentially change how networking occurs, and these changes are coming quickly, whether in the cloud or on premises. Zero Trust is the security architecture of the future.  With the wide spread acceptance and success of DevOps, this trend will only continue. As developers continue to migrate to the IT space expect the continued streamlining of automated IT tasks.

Zero Trust will not completely remove the need for a VPN since IT may still require network access or site-to-site VPN connections between sites. Zero Trust can change how IT administrators obtain access to their networks if they choose to accept it. However, VPNs will not fade away quickly but will gradually make way for the next generation of remote access.

Zero Trust is not only architecture; it is becoming a mindset for Information Security. Next generation firewalls, IPS, and other security tools can be leveraged alongside of Zero Trust access principals to create a more robust protection for both the boundaries and the hosts.

What does this mean for assessors? VPN functionality will be used less for remote workers as direct access methods such as Citrix and other web-based applications become more prominent.  Site-to-site VPNs will likely still exist, but in a much more automated and centrally controlled form. IT departments may always create a business justification for network level access; however, expect VPNs to become scarcer as the technology continues to advance.

In with the new but stay with the old, remember that just because newer security techniques are appearing does not mean we should neglect the basics. If a company doesn’t have an updated list of assets, has never actually tested a restore from a backup, or has never audited user accounts, they’re asking for trouble. We often hear stories of companies who are breached by preventable vulnerabilities – if systems had been implemented correctly or if different security layers were in place, they could have limited the damage of their respective breaches. If a company does the little things right and builds upon that using tools efficiently and effectively, security is achievable. Companies rarely have resources to spot every one of their deficiencies, so it is extremely important to find the right partner to assess the environment, provide a clear roadmap towards remediation, and then reassessment to confirm the security posture is moving in the right direction.