“Security is only as strong as your weakest link “
Am I a big fan of Penetration Tests?
Yup, I am, but not the way most companies do it or get it done.
Companies look at these assessments as a tick mark in a compliance checklist. No one wants issues to be there in the assessment reports. Every one fights to get the risk ratings from critical to medium and medium to low. I have often realized how hated I am in the organization and somehow concluded that more the IT guy is pissed with me the better work I have done!
So why do Penetration Tests fail & why I think these tests are useless.
Companies fail to understand what is critical for them and what needs to be checked. There are no targeted pen tests being done.
While getting their external router assessed for critical vulnerabilities they often fail to realize that they have a porous wireless network which would be piece of cake for a determined attacker.
One of my clients was after me to ensure that we reviewed his routers and firewalls multiple time while he had his wireless network secured by using MAC filtering only. It took me days to convince the client and his MNC wireless vendor to drive home the point that wireless network directly hooked in your server environment is a bigger risk, and somehow MAC filtering is not a security mechanism. I could show him that it was easier to walk into his premises and put a rogue AP in a conference room rather than working my way through layers of firewalls he had at the internet perimeter. In no way I am demeaning the value of having a secure perimeter, but not at the cost of having a network port open in a guest lounge.
Organizations would put cameras, security guards and turnsters at the main gate while keeping backdoors to lobbies and cafeterias open and unmanned. One other clients was not ready to accept that password guessing, even if I am able to guess his domain admin password was a successful hack and a serious issue, as he wanted something technically fancy, something that looked like those hacker movies we see, something which is magical and gives a shell. If someone can kill you with a hammer he doesn’t need to use his snipers. And death is death whether by cold or by cancer.
Clients come and tell me to perform external pen tests and shy away from including social engineering, client side testing, physical security and stolen equipment tests, without realizing the test would show them only one side of the coin, and not the actual picture. It would take someone minutes to launch such attacks and get the jewels of the organization.Getting internal Penetration tests for servers done without including clients, network devices, password brute forcing and social engineering test?
Come on stop kidding me.
Don’t create a security theater for yourself, a tester with his hands tied behind his back and eyes blinded could not hack your systems and you feel happy about it and feel like a winner! AAH!
Lets have a no hold bar test. Let’s level the playing field. Let’s have actual tests done. Let’s see where we are broken. Let’s check our small offices in sleepy towns.
Lets get ourselves hacked so as to be secure. Hackers do not follow rule books , they do not have an assigned budgets or time frames. They do not have time lines for compliance and do not have time slots to stick to. A determined hacker/tester would get in.
The world has now changed from people trying to catch the low hanging fruit to hackers who are professionals and know who and how to target. Lets stop preparing ourselves s against indiscriminate machine gun fire to more directed sniper shots.
“security is as strong as the weakest link which is around the corner waiting to be exploited.”