White hat hackers see companies at their worst. It is, after all, their job to expose weaknesses. Network World Editor in Chief John Dix recently chatted with penetration testing expert Josh Berry, Senior Technology Manager at Accudata Systems, an IT consulting and integration firm based in Houston, to learn more about the attack techniques he encounters and what he advises clients do to fight back.
Let’s start with a thumbnail description of your company’s white hat team.
Most of us do a little bit of everything, but it involves anything from internal and external vulnerability assessment to network penetration tests, web application tests, penetration tests for mobile applications, wireless testing and social engineering as well. We also have a compliance side of the practice that handles more PCI-DSS, HIPAA, those kinds of things.
Background-wise, we typically all have a CISSP, the de facto standard security certification, and then on the penetration testing side, I’m an OSCP, which is Offensive Security Certified Professional, which is fairly well regarded for our particular niche. They give you access to a lab and you have to penetrate so many systems within 24 hours and then write a report.
Who typically hires you folks?
We are typically engaged by the IT department, whether it’s information security or another group. A large percentage of our assessments are driven by compliance needs to validate security controls for, say, the credit card industry, data security standard or HIPAA or something else like that. They understand the purpose and goals and there isn’t a lot of explanation needed.
Do you also get brought in after a breach?
That can happen. Say a customer has had a breach and have taken steps to add more security layers and additional controls. Once those are installed, a lot of times they’ll engage an organization like Accudata to perform testing to validate what they’ve put in place.
We had a banking customer, for example, engage us to perform a mobile application assessment before they made it available to customers. We went about testing it and found a flaw where an attacker, had they pushed out this application prior to having it tested, would have been able to transfer money from anyone’s bank or credit card to their own bank or credit card, and they could have done that for every customer in the environment if they wanted to. We see that a lot, where testing is performed before a system goes live, so we can help find an issue before an attacker has the opportunity to.
What size organizations typically hire you?
It really depends on the company’s compliance requirements. If they accept credit cards as payment for any product or service, it’s a requirement, regardless of their size. But most of our customers are in the mid to large size.
Do you ever approach an engagement on a stealth basis, or are you always out front with it?
That really depends on the maturity of the organization. There are a lot of things you can get out of penetration tests. For those with less mature security processes, they’re really just looking to find vulnerabilities someone can use to access their systems or data. But for a more mature organization, they might also want to test their ability to detect and respond. In those cases it’s usually more stealth, where we are trying to be slower and quiet and not intentionally set off any alarms.
We’ve been banging on security for a long time. When you do this for a large organization, are things more or less buttoned up and are you increasingly looking for smaller holes?
Most organizations’ external perimeter is pretty buttoned up. But once you make it inside it’s still pretty weak. It’s a pretty quick operation to go from social engineering to exploit somebody’s workstation, to pivoting in the environment and escalate all the way to an administrator where you can access anything.
But the perimeter is more secure, applications are being developed more securely, developers are more knowledgeable about different types of classes of attacks and how to use tools to prevent those. Most organizations still struggle to patch clients, which can be attacked using phishing or other social engineering techniques. They struggle to patch third-party applications throughout the environment. So we still see vulnerabilities we can use to get in, and once we’re inside we can escalate access through third-party applications.
Another very common way we get in is finding a system or application or device that has a default or a weak password. Large organizations tend to miss a system here or there and forget to change that one default admin account password.
Given the environments that you test, would you agree with the idea put forward by some that most organizations have already been breached, that they already have malware inside?
Yes. If they haven’t been breached, it’s just because they have stayed off the radar and there are better targets, or they don’t have anything of enough value for an attacker to take the time to bypass their defenses. Through social engineering, every organization is susceptible to being attacked and having a significant compromise.
The growing trend is to get better at detecting and responding, to have the mindset that, “At some point we’re going to be breached or we probably have been, so let’s get better at identifying the indicators of compromise and shut those down before it becomes a problem.” That’s something we’re providing more and more of versus just finding this and that vulnerability.
Is social engineering the most common type of attack these days?
Yes. In the wild, the most common attacks would be social engineering, typically involving some sort of email phishing campaign where the attacker sends an email that looks like it’s from a legitimate organization, or maybe from the company itself, and gets a user to click on a link. That link either asks them to type in their user name and password or opens up a document or something else that exploits the workstation, and then the attacker goes from there. That’s what is typically used in ransomware attacks. The human element tends to be one of the hardest things to secure.
We do social engineering testing as well. For example, we had another banking customer and we had 100 users in scope for a phishing attack. We planned out the scenario, set up the website and crafted the email and sent it out to the 100 users, and then we started tracking who was clicking on it, who is logging in. We quickly got over 100 users. Not everyone clicked, but some of the employees thought what we were proposing was great and forwarded it to others. We actually had something like a 150% percent success rate. That just shows you.
Come on, 150%?
The percentage rate for clicking on the original email was probably closer to 50%. On most engagements we see 25%-30% actually log in so we can capture credentials, and maybe 20% go through the entire process. Still, in a large organization that’s a really high percentage of users.
That’s amazing. What do you recommend to combat that? There’s this discussion about whether security training works, but what do you folks advocate?
We certainly advocate providing additional training and what indicators to look, but there is only so much you can do to train your employees. Their jobs aren’t security. Their jobs are in accounting or whatnot, so they can’t be an expert in security. So we also try to give some practical things that can help either prevent or detect these types of attacks.
For example, in our tests we often send an email that appears to come from another employee in the company. One of our consultants has had a lot of success with an email that pretends to provide a link to a spreadsheet with everyone’s salary. That’s always good click bait. So we recommend they train employees about what an email from accounting is going to look like. And train them that, if they get an email from accounting, it is never going to contain a link. You tell them to access the accounting page directly.
Also, a majority of mail servers won’t allow us to send an email that comes from their own domain, so usually what we do is change it slightly. If it’s company.com we change it to company1.com. So we tell customers to train employees to look at the domain of the company.
What are corporations most worried about losing?
Right now I think most organizations are most concerned about ransomware because it can be fairly devastating. If a couple users of important shares get infected and everything within those shares gets encrypted and you have a poor backup program, that can have a huge impact on the business.
You would think that most companies would have adequate backup plans so this wouldn’t be much of an issue.
We’ve seen a little bit of everything with backup plans. A lot of organizations have a decent backup strategy in place, but it’s still a big headache and really slows the business down if you have large amounts of files and shares that get encrypted, and now you have to go restore all these things and test and make sure the restore went well, etc. It definitely slows business operations down tremendously. I don’t know that we’ve had any customers pay a ransom, but I’m aware of organizations that have, some with success and some that pay and still get nothing out of it.