Vulnerability scanning is the process of using an automated tool to shoot large numbers of payloads at a target (website or network) to see if they are vulnerable to publicly disclosed security problems. As new security problems are identified by researchers from around the world they are added the the list of tests the scanner will perform and as such the arms race between attackers and defenders evolves.  

If you've read my previous article "What is Pentesting?" you'll have seen I mention that most Pentesters will use vulnerability scanners as part of their tool kit so they can focus their attention on the areas of the target site or network that are most likely to need remediation.

The results of the scan will be combined with the results of manual investigation so that as many as possible of the issues present are included in the report. The objective of a Pentest is not necessarily to compromise the server or network, although this is often possible. The purpose of a Pentest is to identify and report as many as possible security issues that could be used by an attacker to gain their first foothold on their target. In many cases these issues are rated as being of low risk on their own. However, in my experience when it is possible to compromise a web server or gain unauthorized access to a network, it's as often from something considered to be low risk as it is a critical flaw which is much harder to find. It's fair to say the vast majority of attackers use automated means to find low level vulnerabilities and only really start paying attention when they have a foothold in the target. As such it makes sense to use automated means to find the vulns they use to gain that foothold and plug them as soon as possible. 

An example of an attack chain that is very effective but only uses low risk vulnerabilities could be as follows:

An attacker identifies the login page of their target website is vulnerable to user enumeration - This means that either to registration or password recovery page returns a message that confirms whether or not a user's email address is registered on that site e.g try to register or recover your password and receive a message saying "This user is already registered, please try another email address" or similar. The attacker can then run a huge list of email addresses against that function and identify a long list of users, possibly including sites administrators. 

They then identify the login page is vulnerable to Clickjacking - This is when the page can be loaded as an Iframe. This Iframe is then loaded over the attackers own login page and a similar domain name is used which looks very similar and in some cases indistinguishable from the real one. 

When this is set up correctly from the attacker perspective they can email a link to all the users they have enumerated and when those users go to log in they will be sending their login credentials to the attacker controlled site which will then forward them to the real site. The user won't notice any difference but they will have had their credentials compromised. In essence the legitimate login page has been turned into a phishing page using 1 low risk vulnerability and the attack has been completed with the use of 1 more low risk vulnerability, the user enumeration and a smattering of social engineering in the email.

I mention this to demonstrate a site can be compromised using only low risk vulnerabilities in combination. I've done tests for clients who take the view they only fix issues rated as medium and above as part of their appetite-for-risk and this has always worried me.

In financial services and other sensitive industries regulators require that a Pentest be done after any major change is made to a site or network. This is expensive and places a heavy burden on the network/site owner. In industries that are not so heavily regulated the same principle applies but the overhead in time and money isn't realistic, especially where changes are being made frequently or even daily. 

Vulnerability scanning can be used as a cost effective stop gap to check for low hanging fruit issues such as these whenever changes are made so that confidence can be maintained no issues have been introduced between Pentests. The only alternative is to have a tester on staff which is a great expense to bare.

Penetration Testing or Pentesting for short is a method businesses and organizations use to confirm the cyber security protections they have in place are effective. Known as offensive security it involves using a third party consultant to test the organizations security by attempting to breach it in the same way a real hacker would do. The main difference is that when the consultant is finished they don't steal the data, instead they provide a detailed report explaining exactly how they were able to compromise as much as they did and how best to go about fixing it. This means when a real hacker comes along they aren't able to do the same things. 

There are restrictions placed on Pentesters which ensure that only non-destructive tests are attempted and close communication with the organization being tested is of critical importance. This places a slight caveat on the effectiveness of Pentesting because a real attacker will not be concerned about doing damage, only about achieving their objective. A Pentester places primary importance on doing no damage and then tests as well as they can within those confines. 

Typically the main areas that receive attention from Pentesters are networks, networking equipment and websites. These are the parts of businesses that change regularly and when changes are made it's important to be sure no vulnerabilities have been introduced. Bringing in the Pentester to confirm in practical terms what vulnerabilities are present and what data can be accessed is an effective method of confirming what data is exposed and what an attacker might be able to do with it. 

Depending on the sensitivity of the data being protected Pentesting is normally carried out either every year, every 6 months or after every major change that is made to the network or website. 

There are 3 main reasons that companies tend to get a Pentest. 

1. Testing is required as part of a regulatory regime that binds the organization - e.g ISO27001, HIPAA or FFIEC

2. In order to attract larger clients - Breaking the ceiling on the next level of clients often requires greater adherence to and confirmation of best practices. 

3. The company is concerned they don't have clarity on exactly where cyber attacks are likely to come from and they want to get ahead of the potential damage a data breach could cause. 

With the introduction of GDPR regulations in 2018 things changed in a big way for companies who control data as since 2018 there has been an additional threat to businesses apart from the reputational damage associated with a data breach. This comes from the Information Commissioners Office itself in the form of potential fines of up to 20M Euros or 4% of global turnover (whichever is greater). This means that businesses that experience a data breach must report themselves to the Information Commissioners Office and may well be fined for not protecting their customers and employees data. To date the largest fine issued by the ICO was to WhatsApp for 225M Euros. 

With the well publicized increase in Ransomware and Phishing attacks combined with the potential to be fined by the ICO, the risks for all businesses who don't invest in cyber security are clear. Travelex was a world famous foreign exchange company until they experienced a Ransomware attack in in 2020. Since then the reputational damage of this attack has forced the company into administration. 

There are however, myriad options and service providers available to choose from and selecting the right provider can seem like a major project in itself.

Choosing the right provider depends on a number of factors but the main one is how far into cyber security testing the organization already is. If you already have Pentests regularly and have eliminated most or all of the low hanging fruit in your estate. You may be ready to move some of your Pentesting budget towards more specific security tests such as Phishing attack simulations. If, on the other hand, you've never had security testing done then you will likely get more value from focusing your budget on identifying low hanging fruit and honing your deployment methods to ensure these issues are caught and fixed before go live time. 

Hacking forums go back to the very early days when hacking was all fun and games about defacing your friends website or proving to them that you had better attacking skills than they did the ability to harden their website. 

Now hacking is big business!

Hacking forums still exist and attackers use them to share knowledge and skills openly with the objective of helping each other to attack innocent businesses and individuals, to make money by illegal means.  

Defending yourself on the internet has never been so difficult!

All the current trends suggest it's only going to get more difficult, as attackers increase in number and upskill at the same time. 

It’s never been easier to become a successful attacker on the internet than it is now. There is abundant training and attack methods are shared openly. Just check YouTube for endless examples. 

Defending has always been harder than attacking. As a defender you have to be right all the time. As an attacker you only have to be right once. 

It’s well recognised you should never write your own encryption. Even if you’re the greatest mathematician the world has ever known. It’s impossible for one person to see all the angles.

This is why encryption methods that get used in all spaces of life, use methods that are made public and peer reviewed over years. 

PGP is still one of the most secure methods of transferring sensitive data, and it's been about since 1991. It will be considered to be secure, until someone manages to break it, which eventually they will. This is inevitable. 

For the same reasons that encryption methods require peer review. Defence methods are most effective when they're made public and peer reviewed. 

No one person can see all the angles and what might seem unbreakable from one perspective may be vulnerable from another. Peer review is the best method of validating your methods to be sure they’re effective in all the contexts you require.

Defence is most effective when it’s collaborative.  

For this very reason we have joined https://www.info-sec.live/. This is a safe space where CIO’s and anyone with responsibility for the security of their organisation can meet to discuss their security methods and to get feedback from us and other experts on how those methods might be improved or adjusted. 

If you’re serious about securing your organisation this is a good place to find the advice and support you need. 

We hold live messenger meetings weekly featuring guest experts so you can safely question your own assumptions and actively improve your security posture.    

I help business owners secure their websites and networks through Vulnerability Scanning and manual Pentesting. A secure business is one that can weather the challenges of 2021. Are you secure? If you don’t know then I can help you. Book a free consultation and UP your security NOW 

#pentesting #cybersecurity #training #data #BetterTogether