As we continue to rely on technology in our everyday lives we must remember this interconnectivity comes with a price. The ability to access devices remotely over the Internet has created a new world of ease and freedom, which can be manipulated by malicious actors. If a device is exposed on the Internet it has the possibility of being compromised. Organizations can’t help but exposing some services over the Internet, items such as VPNs, SFTPs, HTTP Logins, Emails, APIs and etc. will require exposure to the Internet. Items such as these often become the target of a hacker. Hackers will scan the Internet looking for specific known ports containing exposed running services, which can be exploitable. Hackers will eventually find the services you’re hiding and will test your defenses. How will your perimeter defenses hold up against any possible attacks?
Organizations can take steps to protect themselves against hackers and make their environment unappetizing for any attacker. Testing systems through vulnerability scanning is now a common practice which companies utilize to gain meaningful incite regarding both their internal and external postures. These vulnerability scans are high-level automated scans that provide information regarding the versioning of systems, identifying exposed services and determining the associated risk of those findings. A vulnerability scan can help an organization determine if their configurations are following best practices and if system patching is occurring regularly. New vulnerabilities are discovered every day and once a discovery is reported a specific software or hardware vendor must scramble to remediate the issue through a patch and push those patches out to its clients. If a patch is not applied and the vulnerability exists it creates a possible vector for a hacker to pinpoint. This is where the difference between a vulnerability scan and Penetration test begin to diverge.
A Penetration test can utilize information obtained from vulnerability scans and additionally probing with the goal of discovering possible exploits. After vulnerabilities are discovered a hacker will plan and begin executing different exploits against those detected vulnerabilities. A Penetration test will provide the organization with a live assessment of real-world techniques to obtain unauthorized access into your network.
During a Penetration test, an ethical hacker will review and plan a course of action to perform exploits and test different perimeter defenses. Additional tactics such as social engineering to obtain user access are also common practices, which can be included in a Penetration Test. Often an attacker will spray an organization with fraudulent emails attempting to either inject malware into the company network or trick the user into entering the network credentials into a malicious site, which are sent directly to the attacker. According to the Verizon Data Breach Investigations Report 2017 90% of all incidences and breaches included a phishing element. [i]
Once a hacker has obtained a user’s credentials the next step will be to access the network and pivot. Once access is obtained the hacker will attempt to pivot access to different systems along with obtaining administrator-level credentials for further access into the network. If administrator credentials are obtained an attacker can create several different backdoors back into the organization, which can be extremely difficult to detect.
The type of Penetration test required will need to be decided by each organization. There are different types of Penetration testing, which include, web application testing, internal testing (simulated insider threat) and external testing. Web application Penetration testing will test an application for weakness in several different ways. An internal Penetration test could simulate an insider threat. This attack could originate from a remote user’s credentials being compromised and provide VPN access to a hacker. In this scenario, the attacker has access to the internal network but must bypass any internal controls to access sensitive systems. And the last type of attack is an external attack, which is the most common. This type of attack is simulating a hacker with no knowledge of your infrastructure and attacking only the external addresses provided for testing attempting to breach the internal network.
Ethical hackers will simulate as close as possible what is a real-life attack scenario. Utilizing Penetration testing will only strengthen your organization’s security posture. The findings from a Penetration test can provide valuable incite for an IT or InfoSec department to add additional risk levels to correctable items or create new additional risk for unrealized discoveries. As interoperability continues to grow the risk of the Healthcare space attracting more hackers will only continue. While companies grapple with difficult issues such as managing 3rd party access and tracking, the prevalence of remote access workers and the constant threat of human error it will only increase the probability of creating vulnerabilities that a hacker can and will eventually exploit. It’s important to stay a step ahead of all the scary things, which lurk on the Internet.
Organizations must face the reality that hackers are out there searching for their next victim. In 2019, the publication Recorded Future reported on the 100th publicly reported state or local government hit with a ransomware attack.[ii] These types of numbers are alarming and should motivate every organization to bolster its Information Security budgets not only for better defenses but security awareness training.
[i] https://www.phishingbox.com/downloads/Verizon-Data-Breach-Investigations-Report-DBIR-2017.pdf
[ii] https://www.recordedfuture.com/state-local-government-ransomware-attacks-2019/