SRM Blog

What is the difference between a penetration test and a vulnerability scan?

 

Penetration testing and vulnerability scanning are sometimes confused. After all, they sound as if they might do a similar job. But there are important differences.

Also known as vulnerability assessments, vulnerability scans assess computers, systems, and networks for security weaknesses, also known as vulnerabilities. The benefits of a vulnerability scan are obvious: quick, affordable and because they are automatic, they can be scheduled to run on a regular basis. To configure a vulnerability scan, you usually set up an account with an automated scanning tool and enter the details of the device (or devices) that you want to have scanned – and off you go.

But beware: vulnerability scans may provide false reassurance. They are a passive approach to vulnerability management, because they don’t go beyond reporting on vulnerabilities that are detected. The scans are generally of a prescribed nature, in that they are checking for known issues and patches according to a database. They do not inform about the potential exploitation of vulnerabilities nor how to reliably manage remedial action. By their very nature, they cannot understand or anticipate the complex ingenuity of sophisticated human hackers. It simply shows you where your weaknesses may be.

A penetration test on the other hand, simulates a hacker attempting to get into a business system through the exploitation of vulnerabilities, which is why they are sometimes referred to as ‘ethical Hacks’. But unless properly scoped by experienced professionals, a penetration test is limited by what it is asked to do. Because it cannot think for itself. This is where the value of ‘scoping’ comes in. A correctly-scoped penetration test utilises the most important tool in the penetration test armoury: the human mind. A penetration tester will often start out with a similar set of tools, including the use of a vulnerability scan but this is where the penetration test deviates and begins to delve much deeper in the security of a network, applications and the underlying operating system.

A qualified penetration tester is able to think laterally; using both training and experience to analyse and synthesise.  They will put themselves into the mind of a hacker and have the imagination to anticipate possible future weaknesses. Penetration testers provide a deep look into the data security of an organisation and typically, their reports are meticulously detailed and contain a description of attacks used, testing methodologies, and suggestions for remediation.

So how should you best use vulnerability scans and penetration tests? Well, ideally, both tests work together to encourage optimal network security. Vulnerability scans are great for a weekly, monthly or quarterly insight into your network security, while penetration tests are a very thorough way to really put your network security under the microscope. Of course, penetration tests are more expensive, but having a professional examine every nook and cranny of a business the way a real world attacker would, may save a great deal of money in the long run.

A Cautionary Christmas Tale

present-1893643_960_720

‘Twas the night before Christmas, and all through the house,

Not an iPad was stirring, nor PC or Mouse;

 

The shopping had been done on the internet with care,

In hope that the presents soon would be there;

 

The payments were processed, at least in their heads,

Until they found out their account was in shreds;

 

What should have resulted in toys in gift wrap;

Had led them into an elaborate trap,

 

The fraudsters had found an outdated website;

And changed the checkout so it wasn’t quite right,

 

Away to the next site, Dad went like a flash;

Not knowing his card was in the fraudsters stash

 

The website looked fine but ‘twas misdirection;

He’d fallen foul of Sequel Injection,

 

The site wasn’t bad, that should be made clear;

But the standards ignored, no PCI here.

 

With hackers so many, so lively and quick;

The change was so easy, it was done in a click,

 

So please spare a thought, when you next do your shopping,

And check that the site that you found while you’re hopping,

 

Is up to the standard to which we’re reliant;

And make sure it’s one that is PCI compliant.

 

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

Grey Monday

How a correctly-scoped penetration test will future-proof your organisation from real world cyber attacks.

In the aftermath of Black Friday comes Grey Monday. The day of reckoning. Because although shoppers were at their most active on Friday; so were attackers.

If you are confident that your defences held out then you will watch the unravelling news stories with some satisfaction. But you will also be under pressure from stakeholders to ensure that your organisation will continue to protect itself into the future. This cannot be the case if your defences rely on the intelligence provided through automated penetration tests.

Because there is a fatal flaw. Automated penetration tests will only reveal potential vulnerabilities against predictable or automated attacks. They do not allow for the infinite flexibility and agility of a human mind with malicious intent. And in the real world this is your greatest threat.

Simple compliance with industry standards, with or without the use of automated penetration testing technologies, will not provide protection against a motivated and determined human attacker.

So what is the answer? Human intelligence. Even highly automated, well-resourced, and advanced networks employing sophisticated counter-measure technologies are no match. For, although automated scans and technologies are invaluable tools, it is the human mind that can think laterally, that can both analyse and synthesise and can scope a penetration test so that it is truly effective against the human attacker.

That is why we are offering a free vulnerability assessment to establish a true picture of your potential risks and to identify attack vectors within your specific cyber environment. Simply email us.

On completion of your free assessment you will receive a comprehensive report; the test results will be explained to you by an experienced Information Security consultant. This will provide you with the information required to scope a penetration test which is truly effective.

The Internet of Things and how your doorbell might just be attacking Amazon

We hear a lot about the Internet of Things (IoT) on the web nowadays and the TV is full of adverts for Central heating systems that you can control from your smartphone or tablet. There are Wifi enabled doorbells that contact you on your phone when the postman is leaving you a package at home and IoT light bulbs and power sockets can be bought at your local DIY store nowadays too. It looks as though this is mainstream now, and not just for us techie blokes who like something new to talk about in the pub.

 
The big unanswered question at the moment is how safe are these things? There have been some horror stories about Wifi enabled Baby monitors exposing images of sleeping children to the world and the most recent case of the Mirai malware found on IoT devices demonstrates just how susceptible any internet connected device can be to exploit. In the Mirai case, malware was deployed to various devices globally but it seems that a large proportion of them may have been IoT devices. The malware was responsible for a huge Distributed Denial of Service Attack (DDoS) aimed at the domain name server, Dyn on October 21st. This in turn disrupted services as far and wide as Amazon, Netflix, Paypal, Twitter and Github…serious stuff then, but how on earth did this happen?
To the average user, these IoT devices are just appliances that you plug in and forget about, so how could they be developed into a threat? Well, by their very nature, they are not to be thought of in the same way that I think about my good old fashioned Duallit Toaster. These devices are intelligent and programmable and can be susceptible to malware in the same way as your desktop computer. The same security precautions should be taken to ensure that they do not pose a threat.

 

The Mirai Malware turns the infected device into a member of Botnet, a collection of devices that can communicate with one another for various means, (the word Botnet is derived from the words Robotic and Network.) This piece of malware has been responsible for several DDoS attacks in the last 12 months but the attack of the 21st Oct seems to have been the most significant in size. It would appear that the number of IoT devices that are becoming infected is on the increase and there is strength in numbers – in fact, Botnets rely on this.

 
So, what can be done? Well, it is often hard to tell if your Webcam or Doorbell has become infected as it still operates as normal. It might get a bit temperamental at times, (but don’t we all). It is important however to ensure that the firmware is updated regularly and that any default passwords and accounts are removed upon installation. The Malware checks for open default accounts and utilises these to gain control of the device. It has been the advice of many security experts over the years but now it really does hit home – Remove any default accounts and passwords from any device before you intend to use it and check that the firmware is kept up to date. It might go against the grain to patch your doorbell or your webcam but it might just be possible that it is launching at attack on a global website, whilst you sip your coffee……food for thought indeed!

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

How a CISO can exert influence at board level

Mike Tyson once said, “Everyone has a plan until they get punched in the mouth.” As he is perhaps best remembered for his infamous ear-biting antics, he is unlikely to be a role model for many of today’s Chief Information Security Officers (CISOs), but the former heavyweight boxing champion does have a point. The biggest challenge faced by CISOs today is not the need to defend against known risk, but to identify the potential gaps in their own strategy. In short, to intuit what may be the ‘unknown unknowns’.

Because it is not simply a question of rolling with the punches. Like any good boxer, the CISO’s best defence is anticipation. They need to step back from individual skirmishes and establish a strategic defence from potential blows which may not even have yet been considered, even by their opponents. And the most valuable skill they can possess to facilitate this? It is not a heavyweight knowledge of the information security domain, but the ability to influence.

For while protection against known risks can, to an extent, be delegated to the wider CISO team, the senior CISO cannot dodge the essential forward-thinking leadership role required. They cannot simply oversee comprehensive risk analysis, the integration of appropriate security tools and the development of a security culture; they must also ensure that they influence in such a way that priority is given to the organisation’s defensive strategy.

So, in addition to a high level of technical expertise, a thorough understanding of the business model and an ability to mitigate risk, the CISO needs to articulate the state of information security to the company stakeholders and lead employees. They need to do this to ensure that resources are available to defend against the (as yet) unknown. And for this the CISO must possess influence; and that influence needs to be at board level.

Now few would argue with an irate Tyson but in reality his approach is not usually the best model for those wishing to exert board level influence. Influence comes from confidence – both inner confidence and the ability to engender confidence in others. If fellow board members consider the CISO to be fully informed and strategically prepared, they are more likely to listen attentively. If they feel that funding and time are requested in a pragmatic way, with no unnecessary extras, then they are more likely to allocate resources.

The VirtualCISOTM, developed by SRM to meet this need, provides CISOs with all the resources and tools necessary to fulfil their role at the highest level. But it also provides strategic guidance from a designated highly qualified industry expert with an excellent knowledge of the wider sector and a detailed knowledge of the businesses with which they are working. Through collaboration and understanding, a detailed and cost effective road map can be developed, arming the CISO with the muscle required for board level influence.