Updated: Jul 26
Cybersecurity breaches and other incidents have become increasingly frequent and more impactful over the last year. In a recent high-profile information security breach, Russian state-sponsored cybersecurity criminals hacked into a large number of government agencies and major corporations, including the U.S. Department of Defense (DoD) and Microsoft, by leveraging vulnerabilities that existed in very popular and widely adopted SolarWinds remote access solutions. Attackers compromised a SolarWinds update server, and replaced legitimate updates for SolarWinds remote access software with a modified version (supply chain attack), obtaining a backdoor into the network of the target organizations that installed it.
Though penetration tests can't help thwart such sophisticated attacks, they can make them much harder to pull off.
The SolarWinds scenario highlights the top 3 reasons why organizations should get regular penetration tests performed on their external and internal network today.
Top 3 Reasons Why Organizations Should Get Regular Penetration Tests Today:
Independent analysis from industry experts
Remediate/mitigate the most common attack vectors
Be as best prepared as possible for future threat scenarios.
1. Independent analysis from industry experts
Penetration tests can help uncover system and service misconfigurations caused by sensitive services and information being inadvertently or carelessly exposed to the Internet. Such misconfigurations are very dangerous and can often lead to a security breach.
For example, if the client organization exposes services such as RDP (Remote Desktop Protocol), FTP (File Transfer Protocol), or Telnet to everyone on the public Internet, and it also uses weak password, default credentials or doesn't enforce multi-factor authentication, malicious actors could manage to break in through attacks such as brute force, credential stuffing, or password spraying. Once hackers have taken over such services, they can access the internal network and compromise it.
These cases are quite common. A simple search performed on Shodan, a very powerful search engine, can demonstrate the capability to search the Internet for vulnerable connected devices such as ICS (Industrial Control Services), webcams, IoT devices, security cameras, and more.
At the time of this writing, a quick search for RDP returned the data of 183 organizations that are exposing their Remote Desktop Protocol service to the Internet. Shodan also retrieved screenshots of the related login pages for such targets, sometimes displaying valid usernames and domain names that can be used for further exploitation.
None of the above protocols should ever be exposed to everyone on the Internet. If such services are needed externally, access should be allowed only from specific trusted IP addresses based on firewall rules, access control rules, or VPNs. If these best practices are overlooked, the breach is already around the corner.
These issues are quite common and can be exploited by a determined attacker if an organization's security posture is not implemented correctly.
2. Remediate/mitigate the most common attack vectors
Regular penetration tests can help an organization remediate/mitigate the most common attack vectors, making it harder for hackers. Some of the common attack vectors that hackers use to exploit an organization’s network can be related to:
Problems with the source code of a web application: Input validation (e.g., XSS, SQL Injection, Local File Inclusion, Remote File Inclusion, Directory Traversal, Command Injection) or access control (e.g., a non-admin user can access data and functionalities that should be reserved to admin users only, etc.)
Missing security updates and/or outdated/end-of-life operating systems and software components: In the worst-case scenario, these issues can often lead to remote code execution and the underlying vulnerabilities may also be an easy target for exploitation. In fact, for specific widespread vulnerabilities, such as BlueKeep or EternalBlue, public stable exploits are often readily available within the Metasploit Framework.
Misconfigured/unnecessarily exposed services: This includes services unnecessarily exposed to the internet running under a privileged user account, configured with lax permissions (e.g a non-admin user can write to the folder where a program is stored), default credentials, and more.
A professionally conducted penetration test can uncover such common vulnerabilities and help the client organization remediate/mitigate them before threat actors can hack in. For this reason, when follow-up remediation and upgrade plans are implemented, regular penetration tests may help an organization have a more solid security posture.
3. Be as best prepared as possible for future threat scenarios
Regular penetration tests can help the client organizations assess how their security baseline changes over time and highlight current situations that might potentially determine issues in the future.
For example, let's imagine a specific scenario: a penetration test detected that a specific host is running a version of Apache server that will soon reach the end-of-life stage (will be soon unsupported and discontinued). If the vendor provides related updates and/or patches ahead of the deadline, the target organization can install them resulting in the organization proactively remediating the problem before it even constitutes a threat.
Additionally, when a secure code review is included in a penetration testing engagement, it can discover potential bugs in a web application’s source code. This can aid in identifying vulnerabilities and help remediate them to mitigate future exploits. When organizations lose track of their overall vulnerability exposure, they might have to face costly security breaches.
It has been estimated that "it costs three times more to clean up an incident than to prevent one".
After an incident response takes place, the target organization will often have to face a downtime period that would be needed to conduct a forensic analysis and reconstruct the affected servers. This can be very costly and might not necessarily lead to effective results. Moreover, the longer the time needed to start the incident response procedure the longer the time available for attackers to exfiltrate sensitive data and cover up their tracks.
The average cost of a data breach in the United States has increased in 2020 ($8.64 million) compared with 2019 ($8.19 million), as shown by Ponemon Institute’s Cost of a Data Breach Report.
So what choice will your organization make?
Will you choose a penetration test today or an incident response tomorrow?
Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.