March 25, 2021

The Cyber Rants Podcast

Episode #21 - Penetration Tests: What You Need to Know (Part 2)

This week we take a deeper dive into the types of penetration testing. The guys discuss why it's important to consider the reason behind a penetration test and some different methods of testing to consider. The team compares white box vs black box penetration test. In addition, they cover options that companies can take in their testing initiatives, along with providing best practices for companies getting their first pen test.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber criminals and now here's your hosts mike rotondo

zach fuller and lauro chavez hello and welcome to the cyber rants podcast this is your co-host

zach fuller joined by mike rotondo and lauro chavez and today we are continuing our mini series

about penetration testing lots to talk about it'll be a good episode mike why don't you kick us off

with the news hey greetings how are you doing today everybody um headlines for today i'm going

with the fbi to start out with the internet crime complaint center which is affectionately known as

ic3 i received a record number of complaints from the american public in 2020 surprise surprise

791 790 with reported losses exceeding 4.1 billion that's with the b dollars this represents 69

increase in total complaints from 2019 uh bec or business email compromise schemes can you continue

to be the cost of this almost 20 000 complaints with adjusted loss of almost 2 billion phishing

scams are also prominent with 241 000 complaints about 54 million in losses uh ransomware as

it continues to rise with 2400 incidents reported in 2020 over the years i'm sorry

and then uh finally state and local governments had also had a five percent increase in losses

um from 2019 to 2020 they lost over 2 1.8 billion crime is out there be careful cyber cyber security

bug hunting sparks enterprise confidence we're going to kind of touch on this a little bit

in today's podcast but uh nearly three-quarters of it professionals surveyed say they prefer to

buy technology and services from vendors who are proactive about security that includes pen tests

including leveraging ethical hacking and having transparent communications about vulnerabilities

but they believe less than half the vendors actually deliver 74 say that ethical but

hacking bug hunting fine vulnerabilities is highly important so you're for software company

uh get a pen test and there's a place called silent sector that doesn't um anyway fbi what type

of scam is costing business the most that is this new scam it used to be you pretended to be the cfo

and tell someone to transfer money now they're doing tech support fraud so you're getting a call

from a bank saying you're from tech support they want you to go ahead and give them your password

so you can log in and unlock your account i got three of those fan emails today alone microsoft

fixes office issues causing memory and disk space errors and you aim microsoft microsoft has

addressed a known issue causing memory and disk based errors when opening word or excel um this

primarily function hits the microsoft office apps from the microsoft store there's a new

sh as excuse me zhtrap botnet malware which deploys honey pots to find more targets basically

this botnet is hunting down and transforming infected routers uh network devices into honey

pots and how to find other targets to infect and once it does the insidious part is just

things that blocks all other malware using white listing so uh interesting stuff there's another

banking trojan out called metamorpho that started as a latin american banking trojan back in 2018.

uses the legitimate binary used for creating shortcut keys and windows

to use malware to sneak past defenses so careful out there top msp challenges in 2021 are growth

remote working and dns so you may want to look in your new sassy programs

microsoft azure sdk site tricked into listing fake packages a security researcher was able to

add counterfeit test package to official list of micro microsoft azure sd key sdk latest releases

so um be careful what you're pulling down uh from the justice files the tampa twitter hacker agrees

to three years in prison and you remember the guy that did the hundred thousand dollars of bitcoin

uh hack on twitter he's going to jail for three years is it really a hack if you if

you work there and you have admin access i don't know ah i i think theoretically yeah it's still

it's a rogue admin but uh you know it couldn't happen to a nicer company like twitter security

the linux kernel bugs that surface after 15 years and 15 year old bugs that are showing up that uh

found in the kernel code that implements iscsi there's cbe 2021-27365 cbe 2021-27363

and cve 2021-27364 buffer overreads buffer issues basically uh google fixes chrome zero

day bug exploited in the wild so more more bugs for google update your update your chrome chinese

threat actors target global 5g operators believe these attackers are using a phishing website

masquerading as the huawei company career page which transfers you to a domain under control of

the threat actor where they're infected infected with malware which a threat actor leverages to

perform a digital discovery and data collection i don't know if we all noticed but microsoft had a

massive outage um on the 15th uh basically there was an issue with the signing of the keys rotation

and token and validation issues as microsoft explained the authentication and login issues

behind yesterday's outage were caused by an error that affected the correct rotation of signing keys

used for azure ads use of open id i can tell you from personal experience talking to some people

they're still having issues with this um the four thousand dollar covered 19 relief checks cloak

drydex malware cyber criminals have literally wasted no time the new american rescue plan that

just got passed i don't think it was last week or whatever um it's supposed to send out 1400

checks to people um they're already sending out emails and personally the irs trying to download

the drydex trojan so be careful they're just gonna send the checks you don't have to do anything

um twitter can be twitter images can be abused to hide zip and mp3 files researcher david buchanan

attached example images to his tweets that include simple pictures but hide zip archives and mp3s

you just have to download and change the file extension and then contain the entire content

of the file so last but not least uh check your zoom settings under personal look and see what

data centers you're leveraging and apparently all of them are checked uh that includes china in the

australia singapore may want to just use the us or you know some some other place where you're from

but uh may not be the best to route through china that's the news lauro yeah thanks mike thanks

zoom for uh yeah not telling us we're we're being routed through whatever data center you feel like

at any given time so yeah make sure you make sure you change that uh from an exploit perspective

a couple interesting things have dropped uh this week um especially around and not specific to what

they are right i mean we're always going to kind of see the same amplification bypass or injection

right i mean those are really kind of the main flaws in code that allow you some some good

some good caltrops that you can drop right and so i think what's more is the intent that this is um

the software that this that these exploits are and they're they're like 14 of them um towards

specific 4g connected security surveillance software uh made by kc tech jayton tech and noatel

if you're running soyal or casey tech or jaeton these are um not us-based these are not i would

say a-quadrant technologies but they're probably affordable technologies that you can obtain that

do the same job as the a-level technologies so there may be some companies here that are using

these liquid worm drop quite a few all kinds of the worst of you can imagine for this type of

surveillance software so if you're using those types of software again kc tech jayton and notel

and soyal make sure you're looking at the the versions and you want to upgrade those to the

most recent and that's that's really all that's worth talking about from an exploit capability

it's what it's not what how vulnerable you are it's it's how exploitable are you yeah

yeah you can have 10 10s on your scanner but if they're not exploitable what's the point

exactly exactly excellent point well speaking of which that's where pen tests could come in

isn't it today we'll talk about bit more dive dive deeper and deeper into pen testing last week we

talked about it at a high level and uh some of the things that we're seeing out there in the

industry and some are good some are not so good and some just are so uh today we'll talk briefly

about and mike this touches on the article that you mentioned basically companies want

to see companies get pen tested right they're vendors and i think that's probably the most

common request that we get an organization that maybe hasn't had a penetration test before

have hasn't had one recently um or maybe they're they are in a tempo and they're doing it annually

or something like that either way they need somebody to come in and do the pen test largely

in part because it's a request to their client and so that's very very common and and as such your

penetration test can either be a big asset for the organization or it can be a hindrance it can

actually make you look bad so we we talked about a bit about some of the differences last week but

let's dive into some of the scoping considerations and some of the um areas if you know if your tasks

if your organization has to get a penetration test not even of course as a best practice you should

be doing them anyway but let's say a client wants one what do you think they're going to be looking

for out there what are they what types of things are they going to want in a penetration test

good question zach um and there are a lot of expectations i think that you can you can get

out of a penetration test you know we can get into the details of what the report should look

like but i think in general you should be looking for the value that it provides you um you should

you should be looking toward um you know the methodology and we'll get into that right but but

essentially the pentax should tell you what your risk and attack surface look like today

for whatever target you pointed it at and and that's something also that we should talk about

right but i mean really at the highest level when you get that report it should tell you

what the risk is um and and that's all going to depend on the type of contest

right the methods um what you paid for if you did a code analysis if you did a black box

you're going to get different results there's going to be different data but that data should

all tell you um a type of risk that you have for the for the attack surface it was looked at

and if there is something that is exploitable there that is worth you know gonna be time money

people that sort of thing to resolve or was it trivial items right and i mean i think i mean i

think that's really what you're what you're you're going to want that's what i want out of it i want

to know what the risk state is you know when i have a home inspector come look at the house i

want to know what what i'm going to have to fix after i buy it i mean i think that's probably the

easiest analogy that i can provide is that you should get some data out of it and that and here's

the other thing too is that there's going to be times where you've been a proactive organization

and you've done this over and over again you've embedded lots of good cyber security

practices and defense and depth methodology and this whole bit and you you need to pay

for a penetration test right it's time for that and you can pick whoever you want and they're

going to come at you with their tools and their manual techniques and they may not find anything

um if your if your infrastructure is configured to drop packets um you know i think they're going to

they're not going to be able to to really obtain any usable place if you've got a

lot of white listing so that that report may come back and say you've just done an

outstanding job of providing a defense in-depth strategy and protecting the

the attack surfaces that you have to put on the public facing internet of things

and that's a good thing right it's like getting a gold star or an a-plus report or you know

getting a home inspection doesn't have anything other than the faucet should be changed you know

um which would just be an outstanding ordeal and if you can live with the faucets that are

there you don't have to spend any money that's a whole different conversation than there's termites

in the foundation you know where it's going to cost lots of money and you know you should

you know then you should you may have to dedicate people or time but the value is

is there if the information makes sense to the organization and and gives you a site of risk

i think one of the other things that you want and it's kind of you is to show that you're

remediating your risk right so if you have a pen test and then they find things and then you have a

follow-up test you can show that look we have this risk we identified it because we're proactive in

our security and then we fixed it and here's the clean report the other thing going back to the

report i want to talk about is that you know that's the difference between a manual report

and a automated report so lauro when you you're talking about how you know you may find nothing

in the test well with those automated scanners and that that kick out where the report sets you're

going to see the happy birthday attack on the golden poodle attack and all these attacks that

really mean nothing right so they're all going to be reported yeah they're all going to be reported

as you know attacks and vulnerabilities when reality they're not they're not exploitable so um

you want to be concerned about what you're paying for who's doing it are they really paying

attention to it are you just getting some machine language out of the human interaction spit out

onto paper that you then have to justify and explain and that could in theory cause you to

spend a lot of cycles chasing down something to fix something that doesn't really need to be fixed

so we see that a lot a lot yeah absolutely and i i think another thing that

a lot of people get caught up in the jargon uh and the terminology that don't have a

background in this so a lot of times we'll get somebody they might have a tech background but

but not in pen testing not in cyber security and they'll come and they say hey we need this tested

and uh what you know sometimes they'll be sold certain things what they need and

not really reality so different different people get asked about things like

white box versus black box penetration testing for example um some organizations will tell me

you need you know you need everything you need um everything from you know static code analysis

to you know you need somebody there at your office doing wireless pen testing and such and

in some cases it's true and others uh it can be a bit exaggerated so i think defining how you get

the most bang for your buck can be tough um one of the things though that we we tell people a lot of

times you've never done any penetration testing before a lot of times it makes sense to start

with if you're looking at say your your network environment or even a web app in some cases might

make sense to start with a black box penetration test and what a black box pen test is is basically

an attack from a a external attacker's perspective with very little information almost no information

about the target so they don't have any user credentials they don't have your

architecture diagrams or anything like that they're just basically

going after a specific ip or url and looking at it that way and so a lot of times that's i i refer to

that as a drive-by uh approach right and and to do an initial round of testing i think that's

step number one anyway um so organizations especially that are on a budget and such that

can be a great place to start now it's not going to reveal as much as a more in-depth pen test

um but it's a good place to start and then the opposite end of the spectrum would be a white

box penetration test right and that's where the tester has complete information about the

environment they have the diagrams they have user credentials they probably even have the code base

and really can take a granular look at the program and this can make more sense when you're looking

at it from maybe potential insider threats right large organizations massive numbers of employees

might prefer to take that approach on a regular basis but it doesn't necessarily make sense for

everything um i think a lot of times in the web app space at least we um do a lot of gray box

testing right because and that's basically fairly a little bit of information including some user

credentials to test the application the reason why we recommend that is because people have

there are so many stolen user credentials out there available

on the dark web in deep net that they're easy to come by and so many people are guilty of reusing

their user credentials the gray box application makes a lot of sense so i just wanted to touch

on those three because i know that is a common question people ask what should we do

um and you know really it comes down to speaking on a case-by-case basis but at a high level

um those are the the approaches that you'll come across um well so let's tie that back into what we

were talking about in the in the b2b space in that it's a money maker pen tests are actually a money

maker believe it or not you they your clients want the confidence to know that you're being tested

right they want to know that you're proactive in your cyber security and

you know if you can show that someone come from outside your organization has gone

through your application and tested it and torn it up you have a great

way of differentiating it differentiating yourself from your competitors

yeah i'd say that's the most the single most common you know common request from

from com especially larger companies of their vendors is when was your latest pen test and what

what was the scope of it and they won't they want to see that you need to understand what was done

yeah and usually usually i think it's i think it's safe to say that usually the organizations

that that that we see that are that are asking for pin tests are for two reasons is that they're they

have a client that's requesting it that's gonna make them money if they get it and can show that

it's good um or they're in a compliance initiative again because of a clients that are requiring this

right customers are requiring this type of compliance date that then requires annual or

bi-annual or quarterly pin testing right um and so again it's money driver it is i mean you're there

i i we seldom see organizations outside the department of defense and just say hey we want

to be as secure as possible it's typically because they're being driven in some form by

customers that are requiring that right bigger bigger organizations that may be requiring that

that level of of assurance and confidence over the technologies right you need and you need

to match the quality of your penetration test to the sophistication of the customer

and we've been in this right those discussions with large large enterprise after doing a pen

test they want to talk with the tester they want to talk about the results

they have detailed questions and if you if you have a big contract on the line a big customer

you're supporting you have to be able to answer those otherwise it undermines your credibility

um so and last week we talked about some of the kind of canned approaches commoditized

services and such those can be fine to kind of kind of check a block and say you did it but

um you need to be real careful when you're when you're getting into discussion because

we see this regularly it's it's uh they want to analyze what's really going on um at a deeper

level just having it just having a penetration test i i think maybe a few years ago that was

fairly standard fairly acceptable i think now though people are realizing that hey

not all penetration tests are are created equal and um they want to get more um

from a vendor vetting perspective probably than than ever before at least that

seems seems uh in my opinion that seems to be the way things are going yeah what about scoping so

you have this requirement for penetration testing might be compliance might be maybe it's just maybe

you are in fact proactive and it's bet you know it's best practice um or it's client driven i mean

organizations of course have a lot of different pieces to their environment um oftentimes we'll

see they'll put all their focus on one one part but maybe we should touch on that briefly

um you have you know internal network pen testing external wireless you got even things

like physical intrusion testing testing the you know physical security around the data protection

um and then of course web applications and we we see it all um how would you what would be your

recommendation to an organization that maybe has all those things um i mean right off the bat let's

say they've never done this before should they go out and get everything tested or how would you

help them to find the scope assuming they're on limited resources a good question i mean i think

i think well you can ask me asking me is probably it's probably not fair because i i always want to

say you should do everything upfront if you've never done it before if you've never if you if

you have the architecture to support all of the attack surfaces for wireless and intrusion um if

you've got sensitive data on site um or or you know other types of things on site that that

may warrant physical break in or um just uh just for your applications i mean i'd say do it all

however that's not realistic for everybody and i understand that and so i think the tempo that we

see that's successful that is is that you just kind of you plan it out over a year

um or maybe even two years and you just chunk it out you you focus on

um you know i guess it just depends on where you're where you feel you have the most risk

and i think that you can always ask us right i mean if you approach silent sector we'll

we'll take a look and listen to what you have and we'll give you our recommendation but it really

comes down to what you feel is going to be the the the most concerned that you are about risk and

that's probably where your first target should be if that's a web app then make it bad if

you have just some you know random person come in and build a wireless network for you

inside and you're you're you're in a building with a bunch of other businesses and you're just super

worried that someone's just going to jump on the wall i mean you know so it just depends i think

it's it's it's different for everybody but you don't have to you certainly don't have to get it

all at once but your goal should be to understand the entirety of the business's technology system

and what the attack surface looks like so you can shore those weak points up um we call that a cyber

risk assessment right where we do everything we look at that holistic electronic dependencies

that you have and and and throw in pin testing and threat hunting and the whole bit and give

you a good analysis of where your whole business from an attack in a risk perspective look like

um so that's the go that should be the goal i think of any organization but everybody has to um

abide by their budgets and i think i think it was said best by somebody i know very well that

big big big wars are won through little battles so you know if you can get little wins

um that's that's great if you can get a web application tested even though you have 40.

if you can just get one tested and demonstrated that there were some misconfigurations there

whether they were explorable or not just just to get something on the on the platter to serve up

not to say that we're working on it i think that's by far the best step that you can take

wouldn't you agree mark i mean yeah i would 100 agree you need to be making an effort um and

just start the proactive you know every journey starts with the first step first steps a small

a small contest then by god go with that yeah but if you can bite off the whole chunk i mean

there's really it's a matter of how soon do you want to know um right i mean that would be ideal

but who you know small businesses may not be able to do that that's true they may not be able to

um but you know i guess if there's if there's a height if there's a high stress consider

consideration for data on site or data in a or data in some form of technology that they're

they're relying on they may be concerned enough to do the whole thing i think we've seen that

happen and it's certainly not common yeah um and it's usually not the smaller organizations that

the small b2bs that can do it but that we've also seen them be able to accomplish it over

12 to 18 months pretty easily as well um chunking it out but yeah i agree that

you can put it on your wish list maybe santa will bring you a a silent sector cra for christmas

we've also seen him have to bite the bullet and do it because they've had you know a 500 000 deal

hanging in the balance right so they've had to figure out how to do it so yeah all that i mean

customers is customer driven like we were talking about you know from that article it's 75 of all

people want to see that you're being proactive and that's not the discount and we're not going

to talk about this today very you know very much but i mean your whole cyber security program your

information security program your privacy policy your data handling policies and all these other

things that need to dovetail in but you know the pen test is a good place to start because it shows

you where your problems are from a technology perspective yeah the other stuff is easy to fix

yeah i think and when we with one of our programs is specifically for b2b tech companies we start

with what we call the systems triage phase it's part of our methodology and going in that includes

some pen testing right off the bat because we want to see what the cyber criminals are

seeing right we want to be able to guide them in a remediation of that those um kind of that

that low-hanging fruit for the criminals right we want to get that out of the way first because no

use having that risk exposure out there and what and that adds the benefit of having that done um

for uh clients and prospects that are requesting it as well but um yeah it's an interesting thing

i think you know the final note that i would have on this would be that when you're looking

at what to have penetration tested a lot of companies just think about the data specifically

but for some organizations that may not be the most critical factor it may be more systems that

keep them operational right maybe they need to run certain systems 24 7 or something you know some

for manufacturing plants for example it may have um various data sources and lots of backups and

things like that but if their production systems go down they're losing revenue immediately so

think about that it's not always the data a lot of times it is the data but think about

the data but also what you are required to be operational and then also think about your

liability if a breach occurs right what service level agreements are you not going to be able to

meet or what data might may get out there because those liabilities present a risk factor that's a

trailing risk after the breach occurs that need to be considered so that would be my final thought on

on just a very high level overview maybe we can get into detailed scoping uh later on but um

but for today's purposes any other thoughts uh comments smart remarks about pen testing

always remember never forget your comments i'm not sure how they smell how smart they are

yeah it's just it's important to be proactive it's just that's the way that's the world we

live in today right i mean um if you read the news go to bleeping computer go to

any of those stories any of those news organizations out there krebs even

you just see how bad things are from a cyber perspective and you really need to stay diligent

it's no longer it's not that we you know we don't we're a small company we don't have anything

anybody wants to steal it's it's now they want to steal your compute power now they want to steal

whatever they can from you and you just have to stay diligent and pen tests are key to that

absolutely yeah my final thought is is simply this it's proactivity is necessary zero trust

even though it's not being talked about a lot is happening it's an evolutionary step that

these organizations that have risked too much and spent too much money and work too hard they're not

going to risk themselves on businesses that don't feel the same way about their technology systems

so it's unfortunate you're going to get passed over and they're going to spend

more money on somebody else who does care so it's it's you it's it's evolver

it's the age-old thing right above a guy you be a dinosaur or you can turn into a primate yep and

if you're paying for this stuff if you're doing this stuff you might as well use it as an asset to

grow your revenue to get a competitive advantage in the future it'll be more standard but now like

you said from that article based on those surveys mike it's all only half of companies are really

delivering on this stuff so you you know chances are you have a good opportunity in your space

um to leverage these these types of activities get a good return on investment so thank you

for joining us today hope you're enjoying the uh mini series here on penetration testing we

have a lot more to talk about uh so stay tuned in and if you like podcasts subscribe rate us

uh check out the cyber rants book on amazon and we will see you next week take care everybody

Episode #21 - Penetration Tests: What You Need to Know (Part 2)

Send Us Your Questions & Rants!