Top 6 vulnerabilities found via penetration tests
- By Andrew Whitaker
- May 22, 2014
The basement-dwelling teenager poring over lines of scrolling code as he rips through the security of a government or corporate server is a popular trope in Hollywood movies. Although this widespread image of the hacker isn’t accurate, the threat of cyberattacks against government networks is very much a real world concern.
In order to be more prepared for cybersecurity breaches, agencies should consider a comprehensive penetration test – ethical hacking with the goal of attacking or bypassing the established security mechanisms of an agency’s systems, and using the same tactics as a malicious intruder.
Penetration testing can be conducted by way of a cyberattack or by exploiting a physical vulnerability of an organization.
After gaining access to a system, the penetration testers will report back with detailed information about what vulnerabilities were exploited, how they were able to breach the system, what level of data was accessed and how to prevent future exploitation. The following is a compilation of the six most common vulnerabilities found during penetration tests:
Pass-the-hash. Hashing is the process of taking data of an arbitrary length and manipulating it into a predetermined length. Most password challenge and response systems use hashing to convert a plaintext password into a string of letters and numbers that would appear meaningless and random to the common user. A malicious intruder would develop a program to intercept the hashed data as it is being relayed and could then use that hashed data to fake authentication and gain access to an otherwise secure system.
Password reuse. Anyone who reuses passwords across multiple platforms can fall victim to further attacks when a password that was compromised in a data-loss incident is used to gain access to different, otherwise secure platforms that use the same password.
Patch management. Cyber criminals commonly exploit known weaknesses for which patches have already been released. IT managers who have not kept their patches up to date, particularly with the updating of third-party applications like Java and Adobe, have opened themselves up to this kind of attack.
Unsupported legacy software. Closely related to improper patch management, using unsupported software opens the agency to a world of vulnerability. With Microsoft’s recent withdrawal of support for Windows XP, the company will stop issuing patches to fix vulnerabilities found in the operating system, leaving XP a prime target for attack.
Insecure in-house developed applications. Internally developed applications are not generally as rigorously tested as popular third-party programs. One major category of vulnerability is the input validation flaw, where an outside or client-facing input overrides the legitimate functioning of a subsystem. These include cross–site scripting for websites and SQL injection for applications.
User awareness. One of the simplest methods for cyber criminals to exploit is the phishing scheme, whereby an attacker tricks the user into revealing personal information. One of the more basic approaches is to pose as a system’s administrator and then demand a user’s password for “validation.”
A more advanced method is to fraudulently copy the interface and layout of a targeted website or application and trick the user into entering his username and password into the fake website. This will often be accomplished by providing the target with a misleading URL address or by actually interfering with the display functions in the address bar, so that the user sees a trusted URL when visiting a fake website.
The majority of cyber attackers are not the Hollywood variety. Cyber criminals most often rely on exploiting known vulnerabilities and improper security practices; they prey on the non-technical and the misinformed. Conscientiously keeping up-to-date with security updates and patches and adhering to the basic common-sense practices of cybersecurity will help keep an agency’s systems and its users protected from the majority of attempted cyberattacks.
But because agency IT departments, “don’t know what they don’t know,” they should consider penetration testing, enabling an ethical hacker to identify and remediate weaknesses before the “bad actors” steal the show.
Andrew Whitaker is the director of the cyber attack penetration division of Knowledge Consulting Group. He can be reached at firstname.lastname@example.org.