5 Benefits of External and Internal Penetration Testing

As network technologies and application features evolve at an ever-increasing rate, so too have the associated security vulnerabilities. But have our efforts to identify these vulnerabilities kept pace? Has security external and internal penetration testing evolved since its origin in the seventies? How have we changed our security testing approach, tools and methodology to meet the challenges of the changing threat landscape? To answer those questions, we’ll need to understand penetration testing.

What is penetration testing?

Penetration testing is different from vulnerability scanning. A vulnerability scan is used to identify, rank, and report vulnerabilities while a penetration test is used to exploit vulnerabilities or otherwise defeat the security controls and features of a system. Penetration testing is an authorized and proactive effort to assess the security of an IT infrastructure by carefully running tests to exploit vulnerabilities of the system, comprises in an operating system, misconfigurations, service errors, and even unsafe end-user behaviors.  These evaluations help confirm the effectiveness of defensive mechanisms and adherence of end-users to security procedures. There are typically two types, External and Internal.

Penetration testing is conducted externally and attempts to exploit critical vulnerabilities that could be exploited by an adversary to remotely compromise client networks disrupting business operations, destroying data, or stealing sensitive information.

An internal penetration test always assumes that you have internal network access. It can provide valuable insight if you are worried that a rogue employee could try to access data that they’re not authorized to view. Internal penetration tests can also tell you how much damage an intruder could do if one of your employees mistakenly opens an attachment on a phishing email, or how far a visitor to your site could get by plugging their laptop into the local network.

Finally it is important to note that Internal Penetration testing is different from Internal Vulnerability Scanning.  An Internal Vulnerability Scan, sometimes referred to as a Credentialed Scan,  is used to identify, rank, and report vulnerabilities while a penetration test is used to exploit vulnerabilities or otherwise defeat the security controls and features of a system. This will provide additional analysis of business risk and can be used to assist risk mitigation investment decisions. Using both approaches provides a better analysis of business risk and can be used to make better risk mitigation investment decision. Internal Vulnerability Scanning will be covered a future post, so stay tuned!

Who needs Penetration Testing?

The goal of professional or amateur hackers is to steal information from your corporation. They may be after money or simply seek to sabotage your company. If you think about it, one single incident of system downtime can make a huge impact on your company’s reputation. Your business partners or customers may think twice about the security of their relationship with your company.

You may think a Windows® firewall and regularly updating your password is enough to ensure your security. Sadly that is not enough. Highly skilled hackers can get into your system easily and get all necessary information from you without you even knowing it.

Any company, corporation, or organization that relies on IT should have their system security tested regularly and update their security features to prevent the negative effect of system downtime and illegal hacking.

Penetration Testing – The Benefits

There are numerous benefits of employing penetration testing.

1. Detect and arrange security threats

A penetration test (pen test) estimates the ability of an organization to defend its applications, networks, users and endpoints from internal and external attempts to dodge its security controls to achieve privileged or unapproved access to protected assets. Pen test results confirm the threat posed by particular security vulnerabilities or faulty processes, allowing IT management and security experts to arrange remediation efforts. Organizations can more efficiently anticipate emergent security threats and avoid unauthorized access to crucial information and critical systems through executing regular and complete penetration testing.

2. Meet monitoring necessities and evade penalties

IT departments address the overall auditing/compliance facets of procedures such as HIPAA, SARBANES – OXLEY, and GLBA, and report testing necessities recognized in the federal NIST/FISMA and PCI-DSS commands. The complete reports produced by the penetration tests can assist organizations in evading substantial penalties for non-compliance and let them illustrate ongoing due diligence into assessors by maintaining required security controls to auditors.

3. Circumvent the rate of network downtime

Recuperating from a security flaw is expensive. Recuperation may include IT remediation efforts, retention programs, and customer protection, legal activities, reduced revenues, dropped employee output and discouraged trade associates. Penetration testing supports an organization to evade these financial setbacks by proactively detecting and addressing threats before security breaches or attacks take place.

4. Protect customer loyalty and company image

Even a single occurrence of compromised customer data can destroy a company’s brand and negatively impact its bottom line. Penetration testing helps an organization avoid data incidents that may put the company’s reputation and reliability at stake.

5. Service disturbances and Security breaches are expensive

Security faults and any associated disruptions in the performance of applications or services may cause debilitating financial harm, damage an organization’s reputation, grind down customer loyalties, generate negative press, and incur unanticipated fines and penalties. Frequent employment of penetration testing avoids these expenses by the organization.

Penetration testing helps your organization avoid IT infrastructure invasions. It is better for your business to proactively maintain its security than to face extreme losses, both to its brand equity and to its financial stability.

Penetration testing should be carried out whenever there is a change in the network infrastructure by highly experienced experts who will scrutinize internet connected systems for any weakness or disclosure of information which could be used by an attacker to compromise the confidentiality, availability or integrity of your network.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on penetration testing for your IT environment.

Jeff Grim is CTO/CISO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

Impact of Cybersecurity Maturity Model Certification (CMMC) on DoD Contractors

Overview

The Office of the Under Secretary of Defense for Acquisition & Sustainment (OUSD(A&S) is working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry to develop the Cybersecurity Maturity Model Certification (CMMC).

  • The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.
  • The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements.
  • The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.
  • The intent is for certified independent 3rd party organizations to conduct audits and inform risk.

Basic Facts about CMMC and how it will affect your Business

Taken from FAQ posted at: https://www.acq.osd.mil/cmmc/faq.html

CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”

New Framework and Assessment process based on Controlled Unclassified Information (CUI). CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and includes the following organizational index groupings:

  • Critical Infrastructure
  • Defense
  • Export Control
  • Financial
  • Immigration
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • NATO
  • Nuclear
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • Provisional
  • Statistical
  • Tax

Resources, including online training to better understand CUI can be found on National Archives’ website at https://www.archives.gov/cui/training.html

The DoD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

Version 1.0 of the CMMC framework will be available in January 2020 to support training requirements. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information.

The initial implementation of the CMMC will only be within the DoD.

The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.

Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.

Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.

The certification cost has not yet been determined. The cost, and associated assessment will likely scale with the level requested.

There is no Self-certification

We expect that there will be a number of companies providing 3rd party CMMC assessment and certification. An independent 3rd party assessment organization will normally perform the assessment. Some of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).

Your certification level will be made public, however details regarding specific findings will not be publicly accessible. The DoD will see your certification level.

The duration of a certification is still under consideration.

If my organization is certified CMMC and your company is compromised, you will not lose your certification. However, depending on the circumstances of the compromise and the direction of the government program manager, you may be required to be recertified.

If your organization cannot afford to be certified, it does that mean your organization can no longer work on DOD contracts. The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.

**Even if your organization does not handle Controlled Unclassified Information (CUI), all companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes.

All Subcontractors currently on a DoD Contract, will need to obtain CMMC.

The government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts

The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ unclassified networks. CMMC audits by third party assessment organizations will not be applied to classified systems or environments. The Defense Counterintelligence and Security Agency (DCSA) will include CMMC assessments as part of their holistic security rating score.

If you would like more information, contact LP3. We will be glad to help you make an informed decision about the impact that DFARS has on your business or organization.  For more information about our DFARS / CMMC  compliance services,  please visit our website.

Jeff Grim is CTO/CISO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.

Phishing Trips

Phishing Trips: Is Your Company Being Taken on One?

Back in the good old days when vacation time came around, the expression was “Gone Fishing.”  Boy, how times have changed in this new age of technology and cyber hacking!

Phishing has nothing to do with the sport of fishing– it’s a critical element of Internet Technology. Phishing is a process where nefarious hackers attempt to steal your passwords with a purpose of fooling people into downloading malware.

Phishing is a process where nefarious hackers attempt to steal your passwords with a purpose of fooling people into downloading malware.

Phishing has become a critical problem for businesses of all sizes. In fact, recent statistics show that  93 percent of phishing emails now deliver some type of ransomware, malware or other type of cyber attack. The worst part of these phishing attempts is that people are easily baited and don’t even realize they’ve been had until the system is infected.

Cyber security experts suggest that phishing attacks come in all shapes and sizes, but usually target specific individuals within an organization, especially those who have access to sensitive corporate data.

Just recently, Verizon sent out a warning stating that as few as 10 phishing emails can have up to a 90-percent chance of reeling in a sucker. The problem is that most targets are not hi-tech gurus. They’re professionals in areas such as manufacturing, retail, real estate or other industries, but they’re unaware of the new bait and switch tactics taking place over the web. These folks often think they’re opening a trusted news channel, dating site or generic puppy training video when the boss isn’t looking – and what happens? Bang! They let malware, ransomware or a virus in.

What Do You Do?

So what should you and your staff be looking out for to stay safe? Here is a list of the most common phishing techniques:

1. Mass-Market Emails

The most common method of attack comes by tricking someone into thinking that email comes from a trusted source. The message and header seems familiar enough. It could say, “UPS is trying to deliver a package.” Or, “Hi remember me?” Or, “I’ve been trying to reach you.” I even got one recently that said, “Is this you?” Some attacks specifically target organizations and individuals while others rely on methods other than email to get inside.

2. Spear Phishing Is even More Pointed – Targeting You Personally

In general, phishing is about casting a wide net. Spear-phishing, like those in the recent Russian attacks in our election process, goes after specific targets. It makes sense to the cyber criminals: better to go after a select few organizations with money, resources and data than just sending out random emails hoping for a big catch. An attacker may target a government agency, or official, to steal state secrets or secretly control a state or national government official. They often succeed because the attackers carefully tailor information specific to the recipient or include a file name the target is interested in. One that recently worked contained a malicious Visual Basic for Applications (VBA) macro that contained malware called Seduploader.

3. Whaling: Phishing for The Biggest Catches

When the targets are an organization’s top executives it’s called “whaling.”The targets are: data, employee information, and cash that an executive has direct control over. Naturally, information stolen from an executive will be of higher value than that stolen from a regular employee.

This requires a little more work because the hacker needs to know who the intended victim communicates with and what the communication entails – customer issues, legal docs, or even privileged information from the C-suite. Attackers start innocently enough, using social engineering to gather specific information about the victim and the company before launching their harpoons.

4. Heard of BEC, Business Email Compromise? That’s A Hacker Pretending to Be The CEO

BEC scams and CEO email fraud targets key individuals, especially in the organization’s finance and accounting departments. By doing so, it seems an order is coming right from the top – tricking targets into initiating money transfers to unauthorized accounts. By monitoring an executive’s email activity for a period of time to learn about company processes and procedures, the attack email is made to look like it has come from a targeted executive’s account to a regular recipient. Looking important and urgent, it directs a wire transfer to the attacker’s bank account. The haul? Last year BEC scams accounted for more than $4.5 billion in actual and attempted losses.

5. Sending In The Clones

Clone emails are another clever way to fool employees and they work just as well as the originals. The body of the message looks exactly like a previous message, the only difference is the message has been traded for a malicious one. It may say “need to resend the original”  or “this is an update” to explain why the victim was receiving the message again. The hope is familiarity will soothe the receiver into opening the communication without thinking too much about it. Spearphishers even clone websites with fake domains to make the scam more difficult to detect.

6. Over The Phone Phishing Becomes Vishing

Vishing is “voice phishing” using a phone. Typically, the target gets a voice message disguised as a communication from a financial institution asking you to call a specific number and enter your account or PIN number to continue. The voice on the other end belongs to a hacker via a voice-over-IP service. Apple tech support communications are a favorite, using the fear of being hacked to do actual hacking.

7. Spreading Poisonous Messages Is Called Snowshoeing

It’s hard to keep up with the terminology, much less the forms of attack. “Snowshoeing” or “hit-and-run” spam is pushing out messages via multiple domains and IP addresses, so each address has a low volume of messages to avoid spam filtering.

“Hailstorm”, another barrage campaign, works like snowshoeing except with a short time span seeking to outsmart anti-spam tools that filter and block future messages with mass volume in limited time spans. But, usually by then, the hackers are long gone.

Learn to Recognize Phishing Lures

Most ordinary users are not good at recognizing a phishing attack while a savvy one may be able to. But that risk is too great to just leave it hanging out there. Because of that, do a risk assessment gap analysis to make it easier for users to recognize the seriousness of malicious messages. Simple defenses like spam filters are not enough; your organization should consider the implementation of an internal awareness campaign and train your staff to recognize different types of attacks to strengthen security defenses.

One Final Word

Be careful. That email or attachment may look like it comes from a trusted source, but who you may see as a pal, may only see you as chum.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

For more information about our Security Awareness Assessment and Training Services, please visit our website.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.