5 Most Common Problems Found in Penetration Testing
By Akash Desai, Director, ERMProtect IT Security Consulting
Let’s think like a hacker for a moment. Our goal is to gain unauthorized access to as many Internet-connected devices in your organization as possible with as little effort as possible. Ideally, we should be looking to target low hanging fruit. To do this, we would write a script that would automatically scan the Internet across various devices and computers in your organization to see which ones are vulnerable and easily entered without much effort. So, for the greatest return on investment, the hacker’s script should try to attack the following types of targets:
- Those with the most common vulnerabilities typically found in systems these days.
- Those that can give us an easy entry.
So, what did we gain from this thinking exercise? Well, if you reverse this situation and need to think like a defender, you now have an idea of what a hacker would try to target, and you can focus your first defensive efforts on where the hacker thinks the “low hanging fruit” lies.
As an IT security penetration testing company in business for 24 years, we find several commonly observed vulnerabilities in organizations regardless of industry vertical or size that present low hanging fruit for hackers. Let’s take a look at five of the most common vulnerabilities we come across. If you pay attention to these, your organizations won’t inadvertently make a hacker’s job easier.
End-Of-Life (EOL) and obsolete software is at the top of the list. Simply put, this is software and hardware that has not been patched or retired. This problem stems from inadequate patch management practices at organizations. It also stems from the very nature of cybersecurity today which is a cat-and-mouse game where a new vulnerability emerges almost every day.
The latter you can do little about, but the former should be well within the reach of organizations. Otherwise, you are affording a window of opportunity for hackers to exploit. There are various ways to go about dealing with this issue. Patch management software is one way. But if you’re on a tight budget, then break down patch management tasks into daily, weekly, and yearly sub-tasks and follow through with them diligently using accountable individuals. Make sure you also have a full and up-to-date inventory of software and hardware at your organization. You need to know what you need to patch.
Also, End-Of-Life (EOL) means that the manufacturers are not going to release any more patches or provide software/hardware support. You should be looking to retire such items and replacing them with ones that do have support.
Remote Management Services
Remote management services help perform critical tasks such as managing a network device etc. Sometimes, these services are offered over an insecure protocol/interface despite there being safer alternatives available. Examples of insecure protocols include TFTP, FTP, Telnet, and HTTP. These do not offer encryption and so any communications that travel over these can be easily sniffed by a malicious actor and stolen with remarkable ease. Add to this the fact that these are, sometimes, also poorly configured – such as an FTP with anonymous access.
Unencrypted protocols should be completely avoided when offering these remote management services. Remember that the default settings often use insecure protocols. Change them and use secure alternatives that offer strong encryption. Furthermore, place restrictions on who can access your critical remote management services instead of leaving them open for anyone to connect.
Default Passwords and Settings
This is the lowest of all the low hanging fruits out there. Software and hardware often ship with factory default settings and passwords. While thankfully, the incidence of this issue has declined over the years, there are still enough times when penetration testers and ethical hackers encounter it. What is worse: the issue occurs across the board - from printers to routers and from databases to load balancers.
The process to deal with this issue ties in closely with your patch management practices. Create a reliable inventory of software and hardware that you track closely and update on an ongoing basis. This will make it easier to ensure no defaults are being used. And again, restricting access to critical infrastructure devices and systems is important. Hackers love probing for defaults. If you don’t fix them, they will find them. It’s only a matter of time.
Encryption is one of those things where you will always find yourself playing the game of catch up. For instance, there was once a time when 56 bits of encryption was reasonable, but now even 128 bits isn’t comfortable enough. Penetration testers and ethical hackers come across weak encryption issues in almost every penetration test. Obsolete encryption protocols and weak encryption ciphers are very common to see. These issues make attacks like man-in-the-middle (MITM) attacks easy to execute for hackers.
Thankfully, like the others, this issue is not difficult to address. As new vulnerabilities come to the fore, so do better encryption protocols and ciphers. From your side, though, you need to move diligently to immediately adopt these new protocols and ciphers and ensure your infrastructure no longer supports outdated or insecure ones.
You’ve seen these. When a web page doesn’t load, it’s not unusual to see an error page. These pages, though, sometimes have verbose error messages that inadvertently reveal information about the underlying infrastructure.
For hackers, these are treasure troves. These could include internal paths, stack traces, code snippets, database queries, and just about anything that the underlying platform decides to spew out the moment it is unable to handle a particular request. The information in these error messages can be leveraged to mount serious and targeted attacks. Hackers know this and that’s why they will send specially crafted requests that the infrastructure doesn’t know how to handle which then leads to information leakage.
For applications, this is an issue that developers need to resolve. Better error-handling measures need to be incorporated during application development. Developers need to ensure that applications only issue generic error pages that do not reveal sensitive internal information. User input needs to be adequately validated before being processed to avoid generating error messages in the first place.
Penetration Testing Report Recap
If you are a CISO, the next time you’re holding a penetration testing report in your hand, look for these five common issues. They are low hanging fruit for a hacker, so they represent the best value to you if you invest the time to plug them. Get together with your team and create a remediation plan where you allocate timelines and identify specific individuals who will be fixing each vulnerability. Once your team is done with remediation, perform retests to ensure that the issues have indeed been fixed.
Get a curated briefing of the week's biggest cyber news every Friday.
Intelligence and Insights