When reviewing your organisation’s security, it’s vital to think about scope. If you cherry-pick certain pieces of infrastructure to look at, you’ll end up with secure things sitting alongside insecure things. It’s like fitting a fancy lock on the front door but not checking whether the windows are open. In other words, there’s limited value in assessing the security of your website alone. You need to think about the security of your entire organisation and infrastructure, rather than doing compliance-driven testing where the focus is on completing a tick-box list, writes John Kearney, Technical Author, dxw cyber, a security consultancy that specialises in attack simulation.
Thinking holistically about security requires a broad range of skills. As well as being able to find vulnerabilities, you – or your security provider – need to be able to exploit them safely to find ways to break into systems and move between them. You also need to consider how suppliers, people, processes and premises might be relevant to security questions, not just technology.
Defining scope
Step one is to define a comprehensive scope. We recommend making a list of servers, end user devices, corporate networks and Wi-Fi networks, and of infrastructure- platform- and software-as-a-service suppliers, plus independent software vendors who host services within your premises.
You also need to be willing to work in an agile way and amend the scope as you discover new things, which you will!
Designing the breach scenario: what’s the objective?
When designing the breach scenario, we start by asking senior management what outcome they most want to avoid. That will vary depending on your organisation, but could be someone gaining access to your customer relationship management system and exporting customer information in bulk, or gaining access to credit card details. We also talk to people in less senior positions, as they often have different concerns, and bring these together into one clear objective.
We also think about the type of things attackers care about; that is, what’s their pot of gold? It’s not always intuitive. Data that has little value to you can be of huge value in another context. Personal data obtained in one place, for example, can be used to attack unrelated systems. A notable example is the attacks against the Internal Revenue Service in the US, where it’s very likely that attacks were made against unrelated systems to obtain the social security numbers and other personal data necessary to trick the IRS’s Get Transcript service into giving access to fraudsters.
It’s also important to think about what real attackers would do to breach your systems. They’ll look for the easiest way, not the most intricate and drawn out. So focus on those attacks first, moving up the complexity as your security posture improves.
If you haven’t looked at everything, how do you know you’re secure?
Because this work is objective-based, the attacking team will go where it needs to go to achieve the agreed breach scenario. This is part of what differentiates this kind of work from ordinary penetration testing. It means not everything in the scope will be examined, but that’s okay. It’s not an audit; it’s to show how a real breach could happen. It’s also designed to be iterative. Next time, you’ll have fixed some things, and the attacking team will need to try harder to breach you. You should repeat this cycle until breaching your systems requires so much skill or effort that an attacker is unlikely to persevere.
Of course, the amount of effort an attacker is prepared to put in depends on who they are and the value of your assets to them. Casual or automated attacks are much easier to defend against than those mounted by skilled and determined attackers. It’s important to keep this dynamic in mind when thinking about an appropriate budget for spending on this sort of work.
Diligent defences must include friendly attacks
Information security is a dynamic field in which two groups of people are constantly trying to outwit each other. Attackers look for novel technologies and new vulnerabilities, while defenders try to find better ways to detect and prevent attacks. That’s why a diligent approach to defending systems must include concerted intelligent attacks by humans. Automated tooling isn’t clever enough to keep up with human attackers … not yet, anyway!
