Nexor is proud to be a sponsor of the East Midlands branch of the Institute of Information Security Professionals (IISP). The IISP arranges events that provide industry security professionals with opportunities for networking and professional development.
On Tuesday 25th June, the IISP East Midlands ran its second quarterly meeting in 2019. Over 20 security professionals joined to collaborate and discuss the latest news surrounding Common Issues found when Penetration Testing.
The agenda for the evening was:
- A talk from Paul Sutton, Senior Security Consultant from Redscan, on common vulnerabilities discovered during various infrastructure and web application pen tests.
- A discussion on how scenario-based penetration testing engagements can be used to complement traditional testing.
- As security professionals, what can we learn from this?
- What is your experience of penetration testing and vulnerability scanning? What has worked well/what has not worked well?
- What can we do to ensure our organisations/customers do not suffer from common issues?
Scoping of a penetration test is crucial. To write your scope, the questions you need answers to are:
- What objectives is the penetration test meant to achieve?
- Why is a penetration test the best option for achieving those objectives?
- Is the aim to discover as many vulnerabilities as possible or to gain a better understanding of how an attacker might attempt to compromise your business?
- How will you prioritise which vulnerabilities to address?
Ensuring that you have answers to these questions will help provide a suitable scope. If the scoping is wrong the test will not provide the answers you are looking for and the exercise may well end up having to be repeated.
Don’t rush deployments
Deadlines and costs apply to infrastructure deployments as well as web application or service development. People cut corners when under pressure just to get the job completed. When infrastructure deployments are rushed, systems aren’t always configured securely. Maintenance processes to keep systems patched are also neglected. This results in more work being required later when rounds of penetration testing are being carried out.
Support for legacy protocols and services
Businesses lose track of the protocols and services that systems and applications rely on, at which point they don’t disable or remove legacy services through fear of breaking business critical systems. This exposes them to attacks that are widely known, well researched and developed. We would advise you to investigate which legacy services and protocols your systems use and seek to update or remove them.
Don’t rely on preventative security
Businesses often rely on hardened parameter defences to protect their internal environment, on the assumption that attackers won’t get there due to their outer security layer. Attackers simply bypass these controls by attacking employees directly via social engineering. This puts them in a position to exploit the much weaker internal estate. Having the ability to obtain visibility inside a network is vital.
Foster secure software development
Many of the common issues found as a result of penetration testing are the result of misconfiguration. There can be many reasons why this happens, but one factor is the increase in the use of Agile Development. Projects are under pressure to deliver their sprint activities, and as such, security concerns may not be addressed at the time, with the idea that they will be picked up at the end of the project. Unfortunately, this rarely happens, resulting in a system going live with vulnerabilities due to misconfiguration issues. Creating a culture where your staff think about security at all stages of their projects will help prevent this problem from occurring.
Conduct Scenario-based engagements
Scenario-based engagements are increasingly being used to complement traditional penetration testing. Whereas traditional assessments are most often Grey Box and focused on testing a system or application in isolation, scenario-based tests are Black Box in methodology and designed to test the relationships and dependencies between different systems and environments. For this reason, they are viewed as a more realistic type of assessment.
Security Is Continuous…
Attackers do not work in financial quarters. If penetration testing is vital to your business, then make sure your testing regime does not fall foul of any financial constraints, for example, year-end. Attackers will be probing your infrastructure every day of the year and you need to constantly be ready to defend against them.
The IISP run quarterly meetings in the East Midlands – contact us to learn more.
Open to all security professionals – members or not!
Author Bio – Sarah Knowles
Sarah Knowles is Nexor’s Senior Security Consultant. Her formal credentials include being an NCSC certified Senior Security and Information Risk Adviser, an ISC2 Certified Information Systems Security Professional (CISSP), ISO 27001 Lead Auditor and a Member of the Chartered Institute of IT. She has a technical background primarily in Microsoft technologies and has provided security governance, compliance and risk management to both HMG and private sector clients.
Be the first to know about developments in secure information exchange