Companies go for penetration testing to find holes in their corporate network before hackers exploit them. In addition to a solid security assessment of the network, it may help a CISO to check if the company’s security team is ready to combat network security breaches.
Penetration testing can be announced or unannounced. To understand if the security department is ready for action, it’s worth for a CISO to consider unannounced testing. Otherwise, the process will resemble rather an exhibition performance than a day-to-day security assurance.
The source of information
A CISO will get insights about the security department’s overall qualification from a penetration testing report, to be more precise, the vulnerabilities described in it. Given the fact that no network is vulnerability-free, there are still several easily exploitable vulnerabilities that a well-managed network shouldn’t have. The presence of such vulnerabilities in a penetration testing report suggests that the company’s security professionals don’t possess the level of expertise sufficient for ensuring a decent security level of the corporate network. This means that you are not only exposed to the most trivial cyber threats, but also losing extra money on additional penetration tester’s work.
Network vulnerabilities that shouldn’t be there
Further, we describe trivial vulnerabilities that vigilant security professionals wouldn’t miss. So, if a penetration testing report features these security holes, it means the level of your security staff’s competence is highly questionable.
Missing security patches
- Operating system patches.
Well-timed security OS patches cover a sheer volume of severe security vulnerabilities easily exploitable by attackers. Remember the notorious WannaCry attack? This ransomware wreaked mayhem at hundreds of thousands of computers in 150 countries in May 2017. The attack aimed at Microsoft Windows vulnerabilities, which could have been covered by updated patching.
- Application patches.
While many organizations do keep their operation systems updated, applications often stay on the sidelines of security attention. However, app vulnerabilities may be no less devastating. Think, for instance, of 2003 SQL slammer attack, when a highly contagious computer worm caused a denial of service on some internet hosts and infected 75,000 victims within minutes. The worm exploited a buffer overflow bug in Microsoft SQL Server and Desktop Engine database software. The patch to remedy the Microsoft vulnerability had been released six months earlier, but the majority of organizations ignored it.
All applications from enterprise databases to desktop apps require adequate patching. This practice not only ensures the absence of application-related vulnerabilities, but also makes penetration testing more efficient, allowing more time for identifying sophisticated security flaws, thus saving a company additional money.
With an extensive amount of OS and application patches available, security administrators may find it difficult to keep up with the latest patches. In this case, CISOs should make sure their security teams use automated update tools, for example, FileHippo Update Checker, Update Notifier or Windows Server Update Services (WSUS). A conscientious security professional not only installs an update tool and passes the patching buck to it, but also regularly checks for the latest patches. Besides, he or she will ensure patches are installed successfully, checking whether a patch has been applied according to the registry, whether a reboot is required to complete installation or whether the correct versions of the .dll and .exe files are present.
Unused network services and protocols enabled
Frequently, penetration testing exposes vulnerabilities in the network services that were overlooked and left enabled, even though they are both unused and unpatched. For example, unpatched vulnerabilities in such management services as Hewlett Packard’s System Management and Dell Inc.’s OpenManage often serve as network access points to a corporate network.
Unused network protocols pose a similar threat. Responsible security professionals make sure to disable remote management protocols, such as telnet or remote desktop protocol (RDP) when not in use. The same with NetBIOS and Link-Local Multicast Name Resolution (LLMNR). These two are old broadcast protocols used by Windows XP and Windows 2003 servers for backward compatibility. Leaving these legacy Microsoft tools unattended increases the attack surface.
Default or weak passwords and unprotected password files
Ensuring password strength should seem obvious to information security professionals. However, penetration testing reports persistently reveal password-related vulnerabilities. Take a look at the most common issues:
- Using default and weak passwords. For example, older versions of Microsoft SQL Server create administrator account with a password “password.”
- Using weak passwords (less than 7-8 characters long, without special characters or numbers).
- Storing SAM (Sequence Alignment Map) files in a well-known location. For example, to crack Windows passwords, a hacker should get the hashes stored in the Windows SAM file, which is usually located in a couple of widely known locations (C:\WINDOWS\repair or C:\Windows\System32\config). These files deserve a more obscure location, as they contain key security information.
The way your security specialists regard password policy shows how professional they are. All management accounts should be configured with strong passwords reset on a regular basis.
Unrestricted access to common attack targets
Security administrators may forget to restrict access to such common network targets as web GUIs, video conferencing logins, application backdoors, FTP services, private APIs, remote control interfaces, telnet and SSH. That gives a penetration tester and hence an attacker a variety of network access points to compromise and casts doubt on a security staff’s professionalism.
On a final note
Penetration testing helps a CISO to assess the competence of a security team by revealing common vulnerabilities. Scrupulous security staff would address these vulnerabilities before penetration testing specialists spend their extra time on identifying such issues. This serves as an indicator of security employees’ efficiency, as well-timed patching saves a company extra money on excessive penetration testing.