Perimeter
10/12/2011
12:30 PM
Tom Parker
Tom Parker
Commentary
50%
50%

Advanced Threats And Scenario-Based Penetration Testing

Why your pen-test efforts probably aren't preparing you for the worst

I'm a big believer in scenario-based assessment work. Back in the day when most attacks grew out of the attackers desire to learn and challenge themselves, it was acceptable to perform blanket security assessments without real purpose. In today's environment, real attacks are very much with a purpose and far more sinister than their counterparts of years gone by.

Motivated by attempts to steal, extort, and disrupt, the landscape looks very different than they did when I first started working in the business. As a result, it's vital that, in addition to traditional assessment work, organizations engage in scenario-based testing, which takes into consideration the nature of both the properties of an organization's business (such as the assets it values the most) and the threatscape at a given point in time.

At FusionX, we are frequently engaged in and regularly encouraging our clients to perform such testing -- especially when it comes to simulating sophisticated threats. When performing internal, scenario-based tests, our team is often challenged with a statement from IT staff, which typically goes something like this: "Well, you were already connected to the desktop network, which required you to get past physical security."

While this might have been a valid statement 10 years ago, or in the unlikely event that there is client-side attack surface whatsoever, this often causes me to question the institutional level of understanding for the threatscape of today. It also further reinforces the need for organizations to test and therefore demonstrate resilience against sophisticated threat actors.

All too often, security assessments commissioned by businesses consist of two lonely components -- the external network and internal penetration test. It's no secret that while some external exposure remains, successful attacks against today's IT-enabled businesses have trended away from the network perimeter to going after the client/desktop environment -- leveraging client-side vulnerabilities such as those commonly found to exist in browser plug-ins.

While conventional, external and internal assessment activities still remain valuable for validating perimeter and internal network security. They often fail to provide a realistic evaluation of how resilient your network infrastructure really might be to the common denominator of most modern compromises.

The good news is, more and more organizations are buying into the idea of running frequent, internal vulnerability scans against desktop environments. Even better news: Most commercially available vulnerability scanners now support authenticated scans that will identify delinquent patch levels of commonly attacked client-side software. Unfortunately, a large percentile of targeted malware attacks that we have seen in the past two years have leveraged flaws that were either previously unknown or for which no fix is yet available, and therefore likely effective against even the most heavily patched enterprise.

Further, automated internal VA activities against your desktop environments will inevitably fail to assess the adequacy of host-based intrusion prevention products and other factors that could make or break your ability to defend against the next targeted attack against your organization. In order to address this gap, an assessment approach is required that fully evaluates the multifaceted approach that should exist in order to fend off the increasingly sophisticated attacks of the present day.

In subsequent blog posts, I'll take a look at a few components that should be included within any scenario-based assessment whose objective is to evaluate your ability to withstand a sophisticated client-side attack.

Tom Parker is Chief Technology Officer at FusionX.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5314
Published: 2014-11-23
Buffer overflow in Cybozu Office 9 and 10 before 10.1.0, Mailwise 4 and 5 before 5.1.4, and Dezie 8 before 8.1.1 allows remote authenticated users to execute arbitrary code via e-mail messages.

CVE-2014-5325
Published: 2014-11-23
The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity refe...

CVE-2014-5326
Published: 2014-11-23
Cross-site scripting (XSS) vulnerability in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?