avatarTeri Radichel

Summary

Companies may face unauthorized penetration tests from attackers or security researchers, leading to potential data breaches and significant costs, emphasizing the importance of proactive security assessments.

Abstract

The article discusses the phenomenon of unrequested penetration tests, where companies experience security incidents without having formally engaged a security service. These incidents, often resulting from attackers exploiting vulnerabilities or misconfigurations, can be costly, with the average data breach costing $3.86 million. Security researchers may also conduct unsolicited tests and demand payment for their findings. The article highlights that while automated vulnerability scans are available, they are insufficient compared to manual penetration tests that can uncover more complex issues. It underscores the necessity for companies to conduct thorough security assessments, including cloud and web application penetration testing, to preemptively identify and mitigate risks. The author, Teri Radichel, advocates for a proactive approach to cybersecurity, focusing on preventing breaches rather than merely reacting to them.

Opinions

  • The author, Teri Radichel, expresses a passion for helping companies with their security issues, suggesting that many organizations underestimate their vulnerabilities.
  • There is a clear opinion that the cost of a proactive penetration test is far less than the potential cost of a data breach, which can be exorbitant.
  • The article conveys skepticism about the ethics of some security researchers who exploit vulnerabilities and then demand payment, likened to a form of extortion.
  • It is suggested that companies should not rely solely on automated tools for vulnerability scanning, as these tools may produce false positives and fail to identify architectural flaws.
  • The author emphasizes the importance of manual penetration testing to uncover issues that automated tools cannot detect, such as network segregation problems and architectural weaknesses.
  • The author believes that companies should focus on defensive cybersecurity strategies to reduce the attack surface and prevent breaches, rather than solely focusing on detecting attackers post-intrusion.
  • There is an opinion that the cost of penetration testing services varies widely

The Unrequested Penetration Test

Vigilante security researchers or attackers may give you a penetration test whether you wanted one or not.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

🔒 Related Stories: Penetration Testing

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I’ve heard this story from multiple sources, so I thought it was about time to share it. Companies are getting pentests whether they hire someone to perform one or not. In fact, some of 2nd Sight Lab’s penetration test contracts are the result of security incidents like the ones I’m about to describe. Once the company had a security problem, they contacted me to assess their security or help them out with a cloud and web application penetration test. You might want to consider an assessment or penetration test before it gets to that point. I will explain why.

Do you have security issues in your cloud environment?

First, let me tell you that I love being able to help people with security. Don’t think you have any security issues in your cloud environment? In almost every report, 2nd Sight Lab provided nearly or over 100 pages detailing security issues and how to fix them. In a large environment or scope for the test, the report may be longer with separate attachments for companies that want the full details of each finding if they request it or it is relevant.

We also provide an executive summary at the top of the report with the most critical issues to fix because that amount of data can be overwhelming. Although there are generally always many security and configuration issues, usually a few that are more critical to address first. We help companies determine what those are and where to start. The most important findings are the ones most likely to lead to a data breach. We try to provide steps to reproduce the problem and can help validate the fixes afterward as needed.

What constitutes an unrequested penetration test?

First, we have the obvious scenario. The company had a security incident that led to a data breach. In this case, attackers gave the company an unwanted penetration test. The problem with this case is that the average cost of a breach is $3.86 Million. Just so you know, 2nd Sight Lab doesn’t charge that much for a penetration test!

What else causes an unrequested penetration test? Security researchers, a debatable classification perhaps, are now scouring the Internet looking for misconfigurations, vulnerabilities, and stolen credentials. In some cases, if these researchers can exploit something in your environment, they will ask you for money. I know of many scenarios where this happened to a company.

The cost of the initial finding might not be that much. Let’s say you pay someone a small fee of $500 to $1500 for that unrequested review of your security. Now the “researcher” knows you will pay money. They will be back. You will receive report after report and a payment request. Now what? In one case, a company paid around $500 for an initial finding. The next report came with a request for $5,000! At this point, you want to start thinking about getting a penetration test. The cost of Uber trying to cover up a breach reported to them in this manner was $148 million in settlement claims, not to mention what they paid the hackers that discovered the problem. The CISO was fired in that case, so we don’t recommend that approach.

What are the main causes of these security incidents?

The IBM report citing the cost of a breach that says employee credentials and misconfigurations are the entry point of choice. Here’s the link to the IBM report if you’d like to read it:

A survey by Sophos on the state of cloud security says the same about the issues involved in many cloud security incidents:

The Verizon Data Breach Investigations Report says web applications were involved in 43% of breaches (Figure 5). The report also states, “this trend of having web applications as the vector of these attacks is not going away.” Your web applications are a gateway into your cloud, leading to potential SSRF (server-side request forgery) exploits, among other things. That’s why it is always good to include a web application penetration test in any cloud security assessment. The intersection of the two has led to some interesting findings, such as one I covered in my talk at RSA earlier this year on serverless security.

Here’s the 2020 Verizon Data Breach Investigations Report:

Find these problems in your environment before attackers do by hiring a qualified penetration testing company to evaluate your environment.

What kind of penetration test or security assessment do you need?

A basic vulnerability scan (which won’t find the types of flaws the companies I worked with received from researchers) would probably cost less than $5,000. Some companies advertise vulnerability scans as penetration tests. This type of scan will use automated tools in your environment to find vulnerabilities but will miss things that require manual investigation and architectural analysis. It’s not a true pentest, but if you don’t even take that step yourself, it may be a place to start.

Each environment is different and may require a bit of reverse-engineering to peel back layers to find a flaw. With over 25 years of experience as a developer picking up someone else’s code, I’m quite used to reverse-engineering systems. An obsession with security helps me think like an attacker to determine ways the system might be accessed. You look at a system and piece by piece, figure out how it works to try to exploit it. Some types of vulnerabilities will take months of reversing to uncover. I can tell just by looking at various aspects of a system that might lead to a problem, even if I can’t exploit it in three weeks. Our reports explain the issues are and the potential harm that could result, along with the actual findings that produced access to data, systems, or credentials.

The automated tools are great for finding simple flaws and for use as a starting point. By themselves, those tools don’t uncover issues with network segregation, architecture, and can’t tell if the finding is an actual exploitable issue or not in a lot of cases. They may produce false positives, a term I cover in my book on Cybersecurity for Executives in the Age of Cloud. Also, some types of flaws insert malicious code that triggers later. A human needs to be there to analyze the results of the attack firing at a future point. 2nd Sight Lab also uses a tool I wrote to automate inserting malicious payloads into websites or application programming interfaces (APIs), a method called “fuzzing.” I often find that I need to adjust and modify the tool and inputs on each test to get complete coverage because each web application may work a bit differently.

Penetration test costs vary dramatically by the size of the company and the reputation of the penetration tester. Of course, you want to choose someone you trust to perform the test. If you have already had numerous pentests, you might opt to pay a very high fee to get an elite team to test your environment, and it may be worth it. If you have never had a penetration test before, this could be a costly proposition for finding remedial security issues.

You may also want someone with the skills to test your specific environment and technology, whether cloud, on-premises, or industrial control systems. A big team may have the capacity to inspect any type of technology and a project manager to oversee the test. Some of them perform activities like in-person social engineering and physically breaking into buildings. That will cost you more. You can also opt for a smaller team and more targeted analysis. Your choice will depend on your budget, the size of your company, and your test objectives.

2nd Sight Lab probably falls somewhere in the middle. We don’t charge astronomical rates, have a big team, or use project managers on our penetration tests. We specialize in cloud and application security. We don’t run cheap vulnerability assessments and call them a penetration test. If we do perform one, we call it that. As the principal tester at 2nd Sight Lab, I have top certifications recommended for PCI compliance penetration tests. Our deliverable is a report that includes not only the typical penetration test findings. We also provide an overall assessment of risk factors to reduce the attack surface and minimize the chances of a data breach. We explain what we did and could not test, where we spent most of our time, potential threats, and what might warrant further review at a later date.

Some companies focus on reactive security and how to spot an attacker in your environment. Although we review the use of critical logs and alerts, we tend to focus more on proactive prevention of breaches. I wrote about this approach in a separate blog post on Defensive Cybersecurity Strategies. Reducing the entry points and potential vulnerabilities will help reduce the need for reactionary controls, though that will never go away completely.

For example, on a recent test, we explained to a team how to test for authentication logic flaws by walking through how we did that to find issues with their web application. On another test, we explained how to integrate a simple check for a cross-site scripting vulnerability into quality assurance (QA) testing procedures. We also look at the overall cloud and application architecture, depending on the scope of the test. That includes DNS issues, network segregation, exposed administrative interfaces, and IAM policies, among other things.

Our focus is always on finding the configurations and vulnerabilities that could lead to a breach. We don’t just point out the problems; we try to help customers understand them and how to fix them. This approach will help your team focus on strategies to prevent vulnerabilities in the first place, rather than react to them. That and frequent retesting by a professional penetration testing company that is always researching new exploits will hopefully keep the attackers — and security researchers — from giving your company an unrequested penetration test.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2020

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Penetration Testing
Pentest
Cloud Security
Aws Penetration Testing
Application Pentest
Recommended from ReadMedium
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarStefan Bargan
Essential Tools for SOC Analysts

As a Security Operations Centre (SOC) analyst, having the right tools at your disposal is crucial for effective investigation, reputation…

3 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarBianca
PNPT Certification Review

5 min read
avatarGuardio
“EchoSpoofing” — A Massive Phishing Campaign Exploiting Proofpoint’s Email Protection to Dispatch…

By Nati Tal (Head of Guardio Labs)

17 min read
avatarAbhay Parashar
17 Mindblowing Python Automation Scripts I Use Everyday

Scripts That Increased My Productivity and Performance

14 min read