As technology continues to grow and become a more and more integral part of our lives, so grows the need to keep that technology secure and safe for consumers. Whether it's cameras in our homes connected to wifi being tapped into, or the data being transmitted between companies being intercepted, cyber security continues to be paramount in our day to day lives to protect us from these insidious possibilities. We are reminded too frequently of how important this is with horror stories of data breaches, as recent as this past week, 23andMe had a data breach that is affecting millions of their users, having their profiles information listed for sale on shady online marketplaces. The information stolen included the users profile, gender, email address, photos, date of birth and ancestry information. These sorts of data breaches are a nightmare, and they are not exclusive to consumer companies either. Back in June of 2023, the Louisiana Office of MotorVehicles(OMV) suffered a data breach that saw every single Louisiana resident with a state issued driver's license, ID or vehicle registration. The data stolen included, names, addresses, social security numbers, driver's license number, vehicle registration info, and more. This data breach occurred specifically by using a popular third party application called MOVEIt used for transferring large files. Targeting third party applications that other companies pay licensing for around the world to use are a common attack vector for people who are trying to steal data.
So what can we do to deal with such attacks?
Penetration Testing,
also referred to as pen testing is a simulated cyber attack, typically done by a company that specializes in it. The simulated attack doesn't always have to be cyber, there are also physical pen testers who will be tasked with breaking into a companies facilities and making a physical extraction of data. If you've worked for a company where you have an email attached to your employment, it's likely you have experienced a very small scale form of pen testing in automated phishing emails. As silly as those things might be, they are extremely important in keeping companies secure as they can train their employees to identify suspicious emails and attachments. This is especially important as research by Deloitte found that 91% of all cyber attacks begin with a phishing email.
When a penetration testing company sets up an agreement with a consumer company, they usually have a contract. This contract states the guidelines for the penetration test, where they can and can't enter, the information that they would want to see if they could access(if any specifically), as well as any edge cases or constraints that the requesting company would like to place on them like whether it would come from a phishing attempt or an exploitation attempt on their software or application. The guidelines to the contract ensure that both parties remain safe legally as it is extremely likely that they will be handling secure information in their attempted extraction. This step will also be defining in the next steps as this part will also go over the scope of the penetration test.
The next step in this process is open source intelligence or Opsec, as well as figuring out the attack vector, contingent on the contract and it's restraints. If a company wants pen testers to gain entry solely through phishing attempts, it would be more specific in that spear phishing would be the route to take. Spear phishing is the same concept as phishing however it is designed to be specific to an individual to create believability and induce trust for the targeted person to feel safe in clicking it. This works startlingly well, as when we recognize an email that seems suspicious, but they include details about us personally that show that this person knows us (or of us), then we are more likely to fall into the trap. Opsec comes into play here in a big way, what if they might have something pertinent to our linkedin job interests, all of a sudden this suspicious email surely would be real and not an attempt at gaining access to our systems. Penetration testers will often have a tool kit with a variety of different proprietary software to aid in their tasks, along with other pen testing specific products that make their job a lot easier. If a pen tester can get their foot in the door, and get higher level clearance through their chosen attack vectors, the job becomes a whole lot easier.
Once inside, it can be extremely hard for people in the IT department to combat this intruder, especially if this is a blind pen test where the employees are not aware that they are being tested by the company to see if they can protect their data. This is important as a lot of penetration tests will include maintaining control of the systems, to check and see how long they can stay inside and remain unfound, untouched and unnoticed. Dependent on the situation, some pen tests will want extraction and then exit, but most of the time, a company will want to see how long an intruder could remain in their system without raising alarm bells.
By the end of this entire process, whether they're found out or not, the penetration testers will compile a report that has details of their assessment. This assessment will usually contain information on attack vectors or strategies used in their attack, their specific point of entry, what information they were able to take or what damage they were able to cause, and how long they were able to remain in the system without being noticed or removed. There will be various details and recommendations included by the penetration testers and sometimes even a rating.
Penetration tests are extremely important, invaluable services as they provide a real time simulation of a potential catastrophic and preventable situation. This obviously is a great benefit as the data is not actually being stolen, and their systems are not actually in danger. However if the company does poorly, it is a scary indicator that they would need to instill better practices in their employees or better security measures for their applications.
Top comments (0)