Testing the resilience of IT systems can help businesses prevent hacking attacks
Ken Munro, partner at Pen Test Partners
The best way to test whether your organisation is secured against a hack is to try and hack it yourself.
A couple of lower-profile hacks have caught my attention over the previous weeks. Lost in the melee of Sony and others was the website defacement of a security consultancy called Black & Berg, a respected US-based operation.
One of the directors had tweeted to thank the LulzSec group of hackers for all the new business that their activities were netting the company.
“Your hacking = clients for us,” it went.
Black & Berg put out a challenge for anyone to hack its own site and change the homepage – in return for a £10,000 prize and a job at the firm.
LulzSec duly obliged, but spurned the cash and job.
The defacement looked to be a result of a ‘zero day'. This bothered me; it was a site that is likely to have been well secured by security professionals. Yet it was still compromised.
I guess that after the incident at HBGary – showing that a little online social engineering plus a basic vulnerability in a website's CMS could lead to a highly embarrassing compromise – it was even more likely to have been secured.
It also seems that anyone in the security world prepared to put their head above the parapet has become fair game: HBGary for investigating the membership of Anonymous; Black & Berg for bragging about the extra business it was getting.
It made me think again about our own security, and I hope that you are doing the same. Are the current processes for evaluating the integrity and security of your networks and data actually doing the job?
Most organisations will test their DR operation, sometimes to the point of pulling the plug on a key internet feed, or even simulating that a critical office building is inaccessible. I have seen great examples of DR exercises, some so real that they are almost scary.
There is no better way of working out if you're ready for a real incident.
Why not then go a stage further? Why not subject oneself to a simulated hacker attack? Not the rather limited penetration tests and lame automated tools that you are probably used to. Do something real. Find out if you are ready.
Test your people and systems – go find some malware (be careful: use a sandbox, and make sure you have permission!) – and send it in to your organisation. See if your defences are actually working.
Then, try some of the virus and malware code obfuscation tools, and try it again. Try your obfuscated code on Virus Total to see if any of the scanners pick it up.
Next, try a bit of phishing. Have a go at gathering the email addresses of your colleagues using online resources. $99 for a premium account on LinkedIn is well worth it – you'll get everyone at your business who is registered, without needing to connect to them directly.
Scrape copies of your remote access sites (SSL VPNs, OWA/OMA, etc) and corporate web apps. Host them at a similar URL to the real thing, and send out some mails to see if you can get users to disclose creds and other useful information.
Whether you succeed or not, the most important point is to see if anyone noticed your ‘attack'.
Did they notice? Did they do anything?
Did it get escalated? Did your fake sites get blocked at outbound proxies?
How long did they take to block – a few minutes, a few hours or not at all?
Then, how about having a bit of fun on your internal network?
Internal network security is just as important as perimeter security these days. Fire up a scanner without telling anyone in general IT or security operations (obviously, get senior-level approval first) and see what happens.
Again, did anyone notice? If not, then what hope have you got of detecting a high-grade, targeted attack?
If there's one good thing to come out of all this high-profile hacker activity, I hope it's that board members now have the appetite for genuinely testing the resilience of their IT systems.