To anyone not living under a rock, the increasing threat of a cyber attack is very plain. IT professionals spend sleepless nights worrying that they’ll be the next Walmart or Sony or Visa. They hope that they’re doing everything they can to either prevent an intrusion – or if that’s not possible – prevent a serious breach and data loss.
One way that security practitioners improve the security of their networks is by contracting security professionals to perform penetration testing and vulnerability assessment. These ethical hackers provide valuable services and information that can both help to improve the actual security of the IT infrastructure and demonstrate a credible effort for audit, compliance and insurance purposes.
The two modes of operation of security testing are black-box and white-box. Black-box testing occurs when the hacker doesn’t know anything about the system being attacked – they must figure out the details of data and security as the test goes along. This, barring any insider information, is the way that an intruder begins an attack. The purpose of this type of testing is to see what a hacker can determine about a system’s vulnerabilities from the outside.
In contrast, white-box testing starts with complete knowledge of the systems under attack. The hacker knows the applications, network topology, operating systems, versions, file locations and vulnerabilities in play. Armed with this knowledge, the hacker can efficiently exercise known vulnerabilities and extract data. The goal of any real hacker is to effectively transition from black-box to white-box, learning all of a system’s secrets and exploiting them, and a penetration testing service can let you know how hard that transition is.
But why make it easy on them?
And why not take the opportunity to give your own IT team new insight into your own systems and how to better secure them? Before turning to an outside agency for security assessment, why not turn part of your own team into hackers? Think of it as a game, and arm them with a few nuggets of information that a determined hacker could probably discover – a network topology, a critical file location or perhaps a key password. Armed with that information, an in-house hacker team can see how hard it is to poke around and find good information – and once that information is found, how hard is it to sneak that data out?
In fact, getting data out of a network can be a very valuable exercise. Mounting a solid defensive strategy to keep the bad guys out is a critical component of an effective security posture, but it should be assumed that a determined hacker could eventually break in. The best chance to detect an intrusion may, in fact, be effective monitoring which catches sensitive data on its way out of the network. Recent breaches, such as Sony, involved large, recurring file transfers off of the corporate networks that were not detected in a timely fashion. Ask an internal team that is armed with knowledge of firewall rules and tracking mechanisms to try to sneak data out of the network while an opposing team tries to spot them doing so. This can reveal gaps in monitoring coverage for both the deployed technology and its usage by the security teams.
No silver bullet
Incidentally, this is also the goal of cyber range testing. A cyber range conducts similar exercises in a standalone network environment; however, the goals are the same – improving the products, people, and processes of the IT team in order to improve the organization’s security posture. There’s rarely a silver bullets security product that can solve all security problems, so investing in new security technologies can certainly help but it’s rarely as critical as improving the involved people and processes. A solid internal test of ability to detect data leaks or respond to a concerted attack can be very revealing.
There are a number of questions that should be asked at the beginning of the test. Are the tools configured correctly? Does the team know how to use them? Do they know what to look for? Are the automated alerting systems set up and configured correctly?
Often, a massive DDoS attack (and the accompanying service outage) is not the end goal of an attacker. In reality, a DDoS attack is often used as cover for a much more subtle, lower bandwidth intrusion attempt. However, the flood of alerts and alarms can easily overwhelm both the monitoring tools and the teams who employ them.
Having a well-trained team, appropriately tuned tools, and a robust process that can deal with a realistic, massive attack will pay dividends downstream in early detection and prevention of breaches. In fact, in most enterprise networks, a motivated insider can sneak data out via the network. If an organisation can improve its ability to detect file leakage, or surreptitious outbound connections, or even outbound communication from infected hosts to an external control and command server, then that alone is worth the time invested in an internal hacking exercise.
It’s important to note that internal hacking should never take the place of a well-structured external review. The penetration testing skill sets of an external professional will often be above those of an internal staffer with a different focus. However, an internal team can easily identify many of the weaknesses and opportunities for improvement and make immediate improvements. When the low hanging fruit is found and resolved by the internal team, the expensive investment in an external team will yield a better results because they can focus on details that couldn’t be discovered internally. Discovering just how easy it is to compromise an internal system or surreptitiously extract data can help the team to think differently about how internal security probes, monitoring tools, alerting mechanisms and response processes should be deployed and optimized.
So take the time to set up an internal “bad guy” team to try to break into an internal system and sneak a file out. You might be surprised by what you learn about your own security AND the change in awareness of your team. You’ll be satisfied that you uncovered those improvement opportunities yourself – not an external team, and certainly not a malicious hacker.