Perimeter
10/12/2011
12:30 PM
Tom Parker
Tom Parker
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Advanced Threats And Scenario-Based Penetration Testing

Why your pen-test efforts probably aren't preparing you for the worst

I'm a big believer in scenario-based assessment work. Back in the day when most attacks grew out of the attackers desire to learn and challenge themselves, it was acceptable to perform blanket security assessments without real purpose. In today's environment, real attacks are very much with a purpose and far more sinister than their counterparts of years gone by.

Motivated by attempts to steal, extort, and disrupt, the landscape looks very different than they did when I first started working in the business. As a result, it's vital that, in addition to traditional assessment work, organizations engage in scenario-based testing, which takes into consideration the nature of both the properties of an organization's business (such as the assets it values the most) and the threatscape at a given point in time.

At FusionX, we are frequently engaged in and regularly encouraging our clients to perform such testing -- especially when it comes to simulating sophisticated threats. When performing internal, scenario-based tests, our team is often challenged with a statement from IT staff, which typically goes something like this: "Well, you were already connected to the desktop network, which required you to get past physical security."

While this might have been a valid statement 10 years ago, or in the unlikely event that there is client-side attack surface whatsoever, this often causes me to question the institutional level of understanding for the threatscape of today. It also further reinforces the need for organizations to test and therefore demonstrate resilience against sophisticated threat actors.

All too often, security assessments commissioned by businesses consist of two lonely components -- the external network and internal penetration test. It's no secret that while some external exposure remains, successful attacks against today's IT-enabled businesses have trended away from the network perimeter to going after the client/desktop environment -- leveraging client-side vulnerabilities such as those commonly found to exist in browser plug-ins.

While conventional, external and internal assessment activities still remain valuable for validating perimeter and internal network security. They often fail to provide a realistic evaluation of how resilient your network infrastructure really might be to the common denominator of most modern compromises.

The good news is, more and more organizations are buying into the idea of running frequent, internal vulnerability scans against desktop environments. Even better news: Most commercially available vulnerability scanners now support authenticated scans that will identify delinquent patch levels of commonly attacked client-side software. Unfortunately, a large percentile of targeted malware attacks that we have seen in the past two years have leveraged flaws that were either previously unknown or for which no fix is yet available, and therefore likely effective against even the most heavily patched enterprise.

Further, automated internal VA activities against your desktop environments will inevitably fail to assess the adequacy of host-based intrusion prevention products and other factors that could make or break your ability to defend against the next targeted attack against your organization. In order to address this gap, an assessment approach is required that fully evaluates the multifaceted approach that should exist in order to fend off the increasingly sophisticated attacks of the present day.

In subsequent blog posts, I'll take a look at a few components that should be included within any scenario-based assessment whose objective is to evaluate your ability to withstand a sophisticated client-side attack.

Tom Parker is Chief Technology Officer at FusionX.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.