The hacker gained access to the Fortune 500 financial services firm through an old, half-forgotten Siemens-Rolm PBX (Private Branch Exchange) telephony management system. System administrators at the company had diligently changed the administrative account password, but they either had forgotten or never knew about the factory-installed field technician account on the machine. That password was still set to the default value, just as it was on millions of other similar machines around the world.
The PBX was connected to the firm’s voicemail system, but not to the much more sensitive critical financial management and human resources systems. Those systems were still safe, locked behind a Checkpoint firewall and only accessible via secure two-factor authentication systems, closely monitored, and with the latest security patches installed.
The hacker was smart and patient, though. He found the voicemail box for the IT helpdesk, cloned it to a number that only he could check. Waited. Listened.
A user called in one day, having trouble getting in on his VPN (Virtual Private Network) account. The hacker acted quickly. He deleted the message from the legitimate IT helpdesk voicemail, called the user back himself, and easily got the password and one-time authentication token off him. The hacker then helped the user fix his problem, to allay any suspicions the guy might have had.
By that point, the hacker had already logged in on the user’s account himself and was screaming through the internal network, owning server after server, the keys to the kingdom in his hands.
Weeks later, the IT helpdesk manager got a thank-you letter from this user. The user praised the tech that had helped him with his VPN problem a couple weeks back, describing him as polite, smart and fast.
The only problem was, the helpdesk manager had never heard of this tech. Didn’t have anyone working there by that name. Fortunately, the CIO (Chief Information Officer) knew exactly who it was. The “hacker” was a penetration tester hired by the firm to find and exploit any vulnerabilities in their systems… before the real hackers could do so.
- The UC Berkeley School of Information's Online Master of Information and Cybersecurity prepares students with the technical, conceptual, and practical skills needed for a professional career in cybersecurity. Complete in 20 Months. GRE/GMAT required. Request information.
- Syracuse University's College of Engineering and Computer Science offers a Master of Science in Cybersecurity program delivered online. The program prepares students with the necessary foundations for the design and development of assured, secure computer systems in order to predict, prevent, and respond to cyber attacks. Bachelor's degree is required. Request Information.
Penetration testing may be the most visible component of what network security auditors do, but the reality is that all cybersecurity professionals engage in near-constant cycles of assessment and testing. This makes learning to assess risk and defend against it a critically important part of any cybersecurity degree program.
Weighing the Risks in Modern Information Systems
Cybersecurity assessments fall into two broad categories:
- Risk assessments
- Vulnerability assessments
Risk is a word with a very specific meaning within the realm of information security and is often misunderstood outside the field. Risk is the probability of a loss multiplied by the likelihood of that loss occurring. But perceptions of risk are frequently colored by fear, anxiety, and uncertainty, causing possibilities and consequences to be over- or under-valued based on factors like media coverage or an individual’s emotion.
Cloud-based systems, for example, are consistently perceived as being less secure than on-premises systems, although most of the statistics available prove otherwise. Still, most people tend to intuitively feel that data behind a locked door is safe as long as they themselves hold the key, even if that’s not effectively the case.
Because these inconsequential factors can make it difficult for even cybersecurity experts to accurately assess risk, the National Institutes of Science and Technology (NIST) have developed a cybersecurity framework that can be used to evaluate risks to critical infrastructure and, provide industry-standard policy and procedural mitigations. Cybersecurity analysts use such frameworks to work closely with both security engineers and key executives to evaluate potential targets inside the corporate information system and establish the risk of compromise.
In addition to the relatively straightforward factors of costs from lost productivity and incident response from potential breaches, security analysts might also have to account for more esoteric factors such as loss of customer confidence and potential shareholder lawsuits. In the wake of a 2014 theft of customer information, Target Corporation paid out almost $120 million in legal settlements in addition to internal recovery costs. If the risks of compromise had been adequately evaluated prior to that theft, the company could have invested more than $100 million in security measures and still come out far ahead in the end.
A risk assessment, then, points to the systems in which vulnerabilities might be more or less catastrophic if exploited. This allows the cybersecurity auditor to focus resources where they will be most useful in uncovering vulnerabilities.
Isolating the Weak Points Through Penetration Testing
Vulnerability assessments, or audits, evaluate what specific risks exist in the current system structure.
Regular audits are a good practice for any information security team but in certain industries, they may be mandated and/or conducted by regulatory agencies. HIPAA, the Health Insurance Portability and Accountability Act, for instance, maintains strict audit standards for healthcare providers and insurers. And the Security and Exchange Commission’s audits of financial service providers now includes a Cybersecurity Examination Initiative that looks at information security practices.
The sharpest tool in the vulnerability assessment toolbox is the penetration test, or “pen test.” Penetration testing involves cybersecurity teams (called “tiger teams”) taking on the role of black-hat hackers and attempting to gain access to data or resources through actions that would otherwise be illicit. Penetration testers have used:
- Automated scanners
- Password cracking tools
- Other common black-hat exploitation tools
Penetration testing parameters are set by the entity requesting the tests, so exploits that would result in the disruption of services or destruction of data would be prohibited. However, in every other respect pen-testers use the same devious bag of tricks that legitimate cybercriminals might use. The goal is to find all of the vulnerabilities that attackers could potentially exploit.
Automating Penetration Testing
While pen testing can be dramatic, in practice it is more a random snapshot of vulnerability than a consistent, reproducible assessment mechanism. However, certain pen testing tools, such as the Nessus scanner, which can automatically scan a network for known vulnerabilities, can be run regularly to catch any known configuration flaws and alert security engineers.
Logs are another important tool used in network security auditing. The nature of modern cyberattacks is to leave few traces that would be detectable to the average user. But no activity should escape the eyes of a properly configured logging system. Logs record every process, every network request, and in some cases each packet that comes in across the wire. Although modern intrusion detection systems can be programmed to block suspicious traffic, there is always the potential for a new threat with signatures that haven’t been identified yet.
Log analysis software, such as Splunk, can help detect even “undetectable” attacks by looking for traffic that is simply out of the ordinary. Once every normal and accountable activity is filtered out, expert systems or cybersecurity analysts can review logs for signs of illicit activity.
Whatever the methods used to determine risk and vulnerability, it’s a cybersecurity truism that you don’t know what to defend against unless you know what you are defending… like an old, half-forgotten PBX system with a default technician account in the back office.