How Can Penetration Testing Protect Your Assets?

Every business has something to lose. But…who loses sleep over it? Whose job is on the line if assets are compromised? Who cares about protecting their assets? In recent data breaches, some companies just haven’t shown the expected response when they compromise assets. Take Uber, for example. The core of Uber’s business is drivers and riders, yet they covered up a hack for over a year. Hackers stole 57 million credentials through a third-party cloud-based service, and Uber paid to cover it up. Uber knew they’d face major backlash when they exposed the cover-up because they didn’t protect their assets.

How can organizations protect their assets? Investing in penetration testing is one way to show clients, prospects, and competitors that you are willing to protect your assets and that you recognize the value of your assets. The value of penetration testing comes from the value of your assets, not the size of your company.

What Type of Assets Do You Protect?

In any industry, there are assets that need to be protected. You may not think that your organization has a “security issue,” but third-party validation through penetration testing can either validate or deny that. Cardholder data, Social Security numbers, protected health information, access credentials, intellectual property – businesses across industries need to recognize how penetration testing can protect their assets.

  • Casinos – The gaming industry has earned a reputation for strict, effective physical security. As technology advances, though, so should cybersecurity. If a casino is connected to a hotel, are the networks segmented appropriately? If not, a hacker may have found a way into the casino’s gaming network. From there, they could have access to the security cameras, the ability to manipulate odds, see payout information for each machine, alter rewards information, or worse.
  • Hotels – Cardholder data, passport information, rewards numbers, room information, security systems, and more could be compromised if a hotel is hacked. The Marriott hack exposed in 2018 is now one of the largest known thefts of personal records in history. When Marriott’s Starwood reservation system was breached, the personal data of up to 500 million guests was compromised.
  • Pharmaceutical – Production and development, intellectual property, operations, clinical trials, and laboratory results can be impacted when the pharmaceutical industry is targeted by cyberattacks. When pharma giant Merck was hit by NotPetya, it disrupted their operations across the world and production of new drugs, ultimately costing them over $600 million in 2017.
  • Utilities – The threat of power grids being attacked by nation states is becoming more real every day. In 2018, the DHS linked Russia to hacking US power suppliers and publicly spoke about the cyberattacks to warn and prepare other energy suppliers.
  • Data Centers – Whatever data is stored in a data center is under threat. Any insecure access point, like security systems, power supply, security cameras, or HVAC systems, are fair game to a hacker.
  • Retail – Cardholder data is the major asset of any retailer. The infamous 2013 Target hack is a nightmarish example of just how much data a retailer is responsible for. The compromised cardholder data of 40 million shoppers led to a $18.5 million settlement for Target.
  • Airlines – Passport details, passenger itineraries, rewards information, cardholder data, flight schedules, and the safety of passengers are things that could be compromised if an airline is hacked. Fortunately, no travel or passport details were revealed in British Airway’s 2018 data breach, but 380,000 transactions were compromised due to digital skimming on the airline’s website and app.
  • Telecommunications – Because telecom providers communicate, transmit, and store sensitive data, they are a target for cyberattacks. Telecom providers also have attacks coming from two sides: directly to their organization’s network and indirectly through their users. There are new channels of attack with every advance in technology.
  • Auto – As automakers incorporate more technology into vehicles and self-driving cars become a reality, the threat of cyberattacks on vehicles is very real. Locks, brakes, volume, AC, acceleration – it’s all been proven to be hackable.
  • Education – Educational institutions hold not only attendance and grade records, but Social Security numbers, cardholder data, billing addresses, and many other forms of personal data. Understaffed universities that hold expensive research have a target on their backs. A data breach in the education industry costs $166 per capita, according to the Ponemon Institute.
  • Insurance – Cardholder data, protected health information, and other sensitive data are assets given to insurers through websites and apps, making the insurance industry a target for cyberattacks.
  • Public Sector – 44% of local governments face cyber attacks daily. The City of Atlanta’s Ransomware attack was an unfortunate example of just how vulnerable cities are to cyber threats and how much it costs for a city to recover.
  • Banking – Social Security numbers, credit information, PINs, cardholder data, mailing addresses, email addresses, account balances – it’s all available to banks. In 2014, JPMorgan Chase was the victim of a hack that left half of all US households compromised, one of the largest thefts of consumer data in US financial institution history.
  • Hospitals – Protected health information, security systems, expensive research and prototypes, drugs, scheduling information, and operations of facilities are all assets that a hacker could hope to compromise through cyberattacks. Ransomware attacks are extensive in healthcare for this very reason. No hospital wants their computers, elevators, locks, medical devices, or HVAC system held hostage.

Seeing some similarities, here? Any industry can benefit from penetration testing. Any service provider would be embarrassed to sell something that isn’t secure. Any healthcare organization on the HHS’ “wall of shame” will be used as an example of what not to do. Any payment processor’s reputation would be tainted by compromised cardholder data. No matter the industry, organizations need to protect their assets. What is the value of your assets?

How Can Organizations Use Penetration Testing to Protect Their Assets?

Penetration testing can be used to determine how vulnerable your assets are. It puts your security intelligence in your own hands instead of a hacker’s. It shows your security strengths and weakness, then allows you to prioritize your risk levels. If you have compliance requirements, then penetration testing helps align your organization’s security with those requirements. If you do not have compliance requirements, penetration testing is a proactive way to see and analyze the holes in your security posture. Because penetration testing is a simulated yet real-world exercise, it also gives your team a chance to have true “what if” scenarios to practice incident response and, hopefully, avoid the downtime that a breach would cost in the future.

Consider all types of penetration testing and consult with a qualified consulting firm to decide which would be most beneficial for protecting your assets. Internal or external network penetration testing, web application penetration testing, API testing, mobile app penetration testing, code review, social engineering – there are many options that could be useful to your organization’s security efforts.

If you’re questioning whether or not penetration testing would be appropriate for a business of your size or in your specific industry, remember to consider the value of your assets. The value of penetration testing comes from the value of your assets, not the size of your company or your industry.

If your default belief is that we, as an auditing firm, do not employ in-house penetration testers, let us make it clear: we do. We recognize the value of your assets and want to help you find your vulnerabilities and correct them. Contact us today to learn more about our penetration testing services.

More Penetration Testing Resources

7 Reasons Why You Need a Manual Penetration Test

Not All Penetration Tests Are Created Equal

Components of a Quality Penetration Test

Know Your Options: Levels of Service for External Network Penetration Testing

Thinking about hiring a firm to conduct an external network penetration test? What is an external network penetration test and why you need one? Or, have you recently been disappointed with an external network penetration test engagement? At KirkpatrickPrice, our experienced penetration testers want our clients to walk away from each engagement knowing that they are more prepared to combat advancing cyber threats. We are committed to conducting the most realistic, thorough testing possible because when an attacker compromises your external network, it’s likely that they won’t stop there. They’ll go a step further and utilize social engineering tactics, like creating phishing emails specific to your organization, to further infiltrate your environment. That’s why we recommend knowing your options and understanding the different levels of service available for external network penetration tests.

Choosing Levels of Service for External Network Penetration Testing

Standard – External Network Penetration Testing

An external network penetration test provides insight into what an attacker outside your network could exploit. Findings might include:

  • Discovery of open ports, protocols, and services that were accidentally exposed to the Internet
  • Discovery of data leaks, such as excessively open permissions on Amazon S3 buckets
  • Identification and exploitation of old or unsupported systems. These are especially prone to compromise since exploits are more likely to be widely available
  • Identification and exploitation of unpatched or misconfigured systems. On multiple occasions, our testers have found systems with remote-code execution vulnerabilities or misconfigurations that allow passwords to be leaked, among other bugs
  • Broken encryption methods (most common on websites, but also for systems like SSH or VPN servers)

Advanced – External Network Penetration Test Plus Social Engineering

A good ethical hacker will want to utilize as many tactics as possible to discover potential vulnerabilities in an external network. That’s why our penetration testers take external network penetration tests to the next level – the advanced level. They don’t feel like they’re delivering on their work until they go the extra mile and use creative ways to exploit your external network. This typically looks like social engineering methods, such as phishing, to make the penetration test more realistic. An external attacker is not just interested in checking the security of your network perimeter and moving on if they don’t find anything – they’re interested in using external-facing systems (such as email) to get directly into the network. When you’re selecting a firm to conduct your external network penetration testing, consider asking them about social engineering. This provides additional value, such as:

  • Measures mentioned for external testing alone
  • Reviewing layers of security – if an employee accidentally gives away a password when phished, does this impact the external security, and how?
  • Testing security awareness of employees when it comes to email and phone
  • Evaluation of how well email protection/spam filtering measures and protects users from potentially dangerous content
  • Evaluation of how well endpoint protection protects users

Because hackers are so likely to compromise environments using multiple attack vectors, we highly recommend understanding your options when it comes to levels of service and choosing an advanced level external network penetration test. This extra measure will test to ensure that all potential vulnerabilities are found. 

Case Study: Advanced External Network Penetration Test

Did you know that in 2019, 32% of breaches involved phishing, and over 60% of breaches involved the use of stolen credentials? Phishing is one of the simplest and most frequently used attack methods used by malicious hackers. Educating your employees on how to identify and report such emails is essential – and it’s a skill that needs to be thoroughly tested by someone experienced in creating realistic phishing emails. Our penetration testers have executed phishing attempts that have been so convincing that 40% of IT personnel compromise their passwords.

In one engagement, a KirkpatrickPrice penetration tester performed a red team engagement on a casino and resort. In order to gain access to the network, the penetration tester sent out a phishing email that impersonated the casino’s HR department. The email stated that there was a new HR portal that employees needed to log in to and verify their personal information. If they didn’t, the phishing email threatened that a delay in payroll might occur. The penetration tester even went as far as creating a fake HR portal webpage identical to the casino’s brand and link to it in the phishing email. With the fear of payroll being impacted, many employees (even some HR employees) clicked on the phishing link, allowing the penetration tester to obtain several sets of credentials and utilize a VPN connection to access the network of the casino. From there, they were able to compromise the entire network.

Had this casino opted to only do a standard external network penetration test, it’s likely that the phishing email never would’ve been created and the casino would have no idea that its employees so easily click on a phishing email. Instead, the casino and resort would have only received findings of things like open ports, protocols, and services that were accidentally exposed to the Internet, or unpatched or misconfigured systems, and it would be left vulnerable to more thorough hackers.

Getting the most out of your penetration test comes down to choosing the right penetration tester and knowing your options for the levels of service. If you’re in the process of selecting a firm to conduct penetration testing for your organization, let’s chat more about the different levels of service for external network penetration tests and how we can partner to get you the results you need.

More Penetration Testing Resources

5 Critical Things to Consider When Choosing a Pen Tester

3 Hacks to Get the Most Out of Your Penetration Test

What Should You Really Be Penetration Testing?

Security Awareness Training Requirements: SOC 2, PCI, HIPAA, and More

Validating Fixes 30 Days After Your Pen Test – Our Retesting Policy

Every penetration testing firm has unique processes for conducting penetration tests. While there are standards that influence penetration tests, like the OWASP Top Ten, the Open Source Security Testing Methodology Manual (OSSTMM), and the Penetration Testing Execution Standard (PTES), the truth is not all penetration tests are created equally. When hiring a firm to conduct your penetration tests, having a thorough understanding of their methodologies is imperative. How will the firm you’ve hired help you remediate findings? Will they offer detailed insights and strategies for remediation? Will they re-validate what you’ve remediated? A firm focused on advanced, personal service will do exactly that. That’s why KirkpatrickPrice has a 30-day retesting policy.

What is Penetration Testing?

Penetration testing is a form of permission-based ethical hacking in which a tester attempts to gain access to an organization’s assets, including people, systems, and locations. The purpose of pen testing is to find vulnerabilities that could potentially be exploited by a malicious hacker as part of your ongoing risk management practices. However, pen testing firms who are committed to helping their customers get the most out of their investment know that delivering a penetration test report is only the first part of the service. An exceptional pen tester mindset focuses on providing guidance to remediate the findings, and ultimately, help their client improve their security methods.

KirkpatrickPrice’s Commitment to Your Security Needs

When prospects approach us about undergoing a penetration test for the first time, or perhaps they’ve had a bad experience with another penetration testing firm in the past, they’ll question how KirkpatrickPrice’s pen testing methodologies will prepare their organization against the advancing threats of today’s cyber landscape. It’s simple. We use tried-and-true methodologies that have helped keep our clients secure, including:

  1. Information Gathering
  2. Reconnaissance
  3. Discovery and Scanning
  4. Vulnerability Assessment
  5. Attack and Exploitation
  6. Final Analysis and Review
  7. Implement the Remediation Guidance
  8. 30-Day Retesting Period

Benefits of Retesting

KirkpatrickPrice is well aware that the security of your organization is not something to take lightly. This is why when we conduct our quality, thorough pen testing services, we do everything possible to help you get the most out of your engagement, including providing free resources, access to Information Security Specialists, and a 30-day retesting period to test the changes you make after the engagement concludes. What are the benefits the 30-day retesting policy?

According to KirkpatrickPrice pen tester, Stuart Rorer, “The 30-day retesting policy provides our clients with the ability to have any issues, previously discovered in the pen test, reassessed to see if the remediations have been effective.” This means that when you remediate vulnerabilities over this 30-day retesting period you could:

  1. Save your organization from a costly, embarrassing data breach
  2. Demonstrate your organization’s commitment to security
  3. Prove to stakeholders that you’re willing to do everything possible to protect their investments
  4. Ensure the security of a product before you take it to market
  5. Give your customers peace of mind

For those who may argue that 30 days post-exploitation isn’t enough to remediate vulnerabilities, Rorer makes a critical point: “Having a pre-determined test window also provides the client with a level of accountability, and helps set a timeline goal to have issues remediated. The longer the vulnerabilities remain present, the more likely they can be exploited.” In addition, many compliance frameworks require that you remediate high findings and also test your system after any significant changes.

The 30-day retesting policy at KirkpatrickPrice is optional, but we encourage all of our clients to take advantage of the benefits of re-testing, implementing changes, and validating the security of their networks and systems. After all, a data breach is only a matter of when, not if, it will occur. Make sure your organization receives quality, thorough pen testing services – talk to an expert today. We’re here to help!

More Penetration Testing Resources

What Should You Really Be Penetration Testing?

3 Hacks to Get the Most Out of Your Penetration Test

5 Critical Things to Consider When Choosing Your Pen Tester

Testing Physical Security Measures Through Penetration Testing

When you think about how penetration testing is performed, do you think about testing physical security measures?

While many people believe security breaches only happen on the technical side of an organization, they can also start in your physical environment. You may find it surprising to know that some of the most advanced security attacks originate from an area as simple as a garbage can.

Items such as:

  • Bank statements
  • Credit card offers
  • Personal letters
  • Magazines
  • Receipts

…are just a few items found in the trash that can give a hacker the info they need to launch significant security attacks on a person or organization.

It may be easy to think of a hacker sitting in a dark room somewhere, spending hours trying to break through your firewall and using malware to compromise your systems, but that’s not the only way malicious individuals initiate security attacks.

To protect your secure information, your organization must pay attention to both its technical security and physical security, and consider incorporating social engineering and physical security testing into penetration testing engagements.

7 Ways to Protect Sensitive Information from Physical Security Attacks

There are many ways physical security plays a role in the protection of sensitive information. To make sure your organization is as secure as possible, you can take these important steps towards securing your physical assets:

1. Securely destroy sensitive documents

Trash cans should be placed in an open area that’s visible to personnel, or maybe even in a guarded area, so that anyone who might try to breach your physical security via information in the trash will be caught. Do you shred and securely destroy items that contain personal or sensitive data before going into the trash to protect that information from being pieced together?

2. Implement policies & procedures

Proper policies and procedures should be in place so that employees are well-trained on appropriate security actions for daily activities. Whether that looks like locking doors, keeping security badges on at all times, or requiring all visitors to remain with employees in secure spaces – making sure that every employee understands what is expected of them is important in keeping your data secure.

3. Secure network entry points

Identifying all network entry points is a good practice to prevent wrongful persons from accessing your organization’s systems. Ethernet ports in open areas prove to be tantalizing access points for malicious individuals.

4. Monitor key physical security points with cameras

Security cameras are a great deterrent from hackers who look for easily accessible entry points hidden from view. Part of your organization’s physical security measures should be placing security cameras in areas where secure information is received, processed, and discarded.

5. Monitor all sensitive documents – even locked ones!

Locking secure documents in drawers is a good practice to implement, but these locked areas must also be monitored. A common tool hackers use in physical security attacks is a CH751 key. This key has the greatest likelihood of unlocking simple locks such as those in desk drawers, storage containers, and even elevators, which means securing your documents in a locked filing cabinet isn’t enough. These areas must be monitored at all times.

6. Be careful of after-hours

It’s not uncommon for hackers to slip into your office space unnoticed as everyone leaves for the day. KirkpatrickPrice penetration testers have even waited in office building bathrooms to stake out the best time to enter secure areas and locate security vulnerabilities. Making sure that your office building is secure at all hours of the day is important to protect yourself from security attacks.

7. implement auto-lock computer policies

A practice as simple as auto-locking computers when employees step away from their desk is vital for your organization’s physical security. It only takes a few seconds and an open USB port for hackers to breach your system and install malware.

These practices are just a handful of ways your organization can be proactive in securing assets against security attacks. How can you be sure your current procedures have covered all avenues of entry into your systems? That’s where penetration testing comes in. Through the various types of penetration testing, your organization can gain greater assurance that you have secure practices in place.

Why Penetration Testing Makes a Difference for Physical Security

Penetration testers use the same tricks hackers use in malicious security attacks when they are testing your systems for vulnerabilities. They know that your organization’s physical security is the first line of defense against hackers. That’s why they use tactics such as picking locks to reach areas that are supposed to be off-limits, cloning badges of unsuspecting employees, and scouting out employee workstations to find the right moment to compromise it. At KirkpatrickPrice, our penetration testers perform skilled social engineering and physical security tests to locate vulnerabilities that your organization may be missing.

As an information security firm, we often hear from our clients that they have an internal penetration testing team but aren’t interested in a third party conducting tests on their systems.

Would you choose to test your own building for fire safety or would you rather receive a fire safety report from a Certified Fire Protection Specialist?

Of course, you would choose to have an expert test your safety features to be sure you’re protected against any serious threat of a fire. In the same way, it’s important to have a third-party penetration tester involved in hunting for vulnerabilities within your system, both technically and physically.

When a penetration tester engages in an onsite visit, they are able to recognize physical security weaknesses and help you mitigate your risks. Instead of hoping your security practices will stand against a hacker’s ill intent, you can make sure you have the right procedures in place with a penetration test.

Contact KirkpatrickPrice today to learn how our expert penetration testers can test your security controls and locate your vulnerabilities to help you prevent any security attacks!

More Penetration Testing Resources

5 Information Security Considerations to Make Your Startup Successful

Avoiding a Pen Testing Mishap: What Are You Really Paying For?

3 Hacks to Get the Most Out of Your Penetration Test

Stages of Penetration Testing According to PTES

What is the Penetration Testing Execution Standard (PTES)?

The Penetration Testing Execution Standard, or PTES, is a standard that was developed and continues to be enhanced by a group of information security experts from various industries. PTES provides a minimum baseline for what is required of a penetration test, expanding from initial communication between client and tester to what a report includes.

The goal of PTES is to provide quality guidance that helps raise the bar of quality for penetration testing. The standardization of penetration testing procedures helps organizations better understand the services they are paying for and gives penetration testers accurate direction on what to do during a penetration test.

The 7 Stages of PTES

The PTES methodology is a structured approach to penetration testing balancing guided phases with organizational vulnerabilities. The standard is organized in sections that define what should be included in a quality penetration test.

PTES defines penetration testing in seven phases:

  1. Pre-Engagement Interactions
  2. Intelligence Gathering
  3. Threat Modeling
  4. Vulnerability Analysis
  5. Exploitation
  6. Post-Exploitation
  7. Reporting

Let’s look at each of these 7 phases of the Penetration Testing Execution Standard in more detail.

Pre-Engagement Interactions

Penetration testers will prepare and gather the required tools, OS, and software to begin the penetration test. The required tools vary depending on the type and scope of engagement but will be defined by a quality penetration tester at the start of any penetration test.

Intelligence Gathering

The organization being tested will provide the penetration tester with general information about in-scope targets, and the tester will gather additional details from publicly accessible sources. This step is especially valuable in network penetration testing.

Threat Modeling

Threat modeling is a process for prioritizing where remediation strategies should be applied to keep a system secure. PTES focuses on business assets, business processes, threat communities, and their capabilities as key elements of threat modeling.

Vulnerability Analysis

Penetration testers are expected to identify, validate, and evaluate the security risks posed by vulnerabilities. This analysis of vulnerabilities aims to find flaws in an organization’s systems that could be abused by a malicious individual.

Exploitation

This phase of a penetration test involves the exploitation of identified vulnerabilities in an attempt to breach an organization’s system and its security. Since the vulnerability analysis phase was completed in a quality manner, the next step is to test those entry points into the organization that are weak.

Post-Exploitation

After the testing is complete, the penetration tester must consider the value of the compromised machine and its usefulness in further compromising the network.

Reporting

An executive-level and technical-level report will be delivered covering what was tested, how it was tested, what vulnerabilities were found, and how the penetration tester found those weaknesses. The report should provide your organization with helpful guidance on how to better your information security practices.

How to Get a PTES-Standard Penetration Test

The main segments of PTES provide a detailed dive into the purpose and expectations of penetration testing.

For many organizations, the ins and outs of penetration testing are confusing. Because of standards such as PTES, you can get a better idea of what to expect when a penetration tester hunts for your organization’s vulnerabilities.

PTES influences the penetration testing methodology of many auditing firms across the industry. It’s through these standards that information security experts can develop a well-working, quality system that detects your greatest vulnerabilities and reports on ways to improve your information security processes.

At KirkpatrickPrice, we understand that keeping your data secure is important to your organization. That’s why our expert team of penetration testers work hard to stay up to date on industry standards, so you can focus on increasing the security of your organization.

Contact us for more information on our quality penetration testing.

More Penetration Testing Resources

The 7 Stages of Pen Testing

Penetration Testing Steps for a Secure Business

Finding and Mitigating Your Vulnerabilities Through OWASP

What is Wireless Penetration Testing?