Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/12/2011
12:30 PM
Tom Parker
Tom Parker
Commentary
50%
50%

Advanced Threats And Scenario-Based Penetration Testing

Why your pen-test efforts probably aren't preparing you for the worst

I'm a big believer in scenario-based assessment work. Back in the day when most attacks grew out of the attackers desire to learn and challenge themselves, it was acceptable to perform blanket security assessments without real purpose. In today's environment, real attacks are very much with a purpose and far more sinister than their counterparts of years gone by.

Motivated by attempts to steal, extort, and disrupt, the landscape looks very different than they did when I first started working in the business. As a result, it's vital that, in addition to traditional assessment work, organizations engage in scenario-based testing, which takes into consideration the nature of both the properties of an organization's business (such as the assets it values the most) and the threatscape at a given point in time.

At FusionX, we are frequently engaged in and regularly encouraging our clients to perform such testing -- especially when it comes to simulating sophisticated threats. When performing internal, scenario-based tests, our team is often challenged with a statement from IT staff, which typically goes something like this: "Well, you were already connected to the desktop network, which required you to get past physical security."

While this might have been a valid statement 10 years ago, or in the unlikely event that there is client-side attack surface whatsoever, this often causes me to question the institutional level of understanding for the threatscape of today. It also further reinforces the need for organizations to test and therefore demonstrate resilience against sophisticated threat actors.

All too often, security assessments commissioned by businesses consist of two lonely components -- the external network and internal penetration test. It's no secret that while some external exposure remains, successful attacks against today's IT-enabled businesses have trended away from the network perimeter to going after the client/desktop environment -- leveraging client-side vulnerabilities such as those commonly found to exist in browser plug-ins.

While conventional, external and internal assessment activities still remain valuable for validating perimeter and internal network security. They often fail to provide a realistic evaluation of how resilient your network infrastructure really might be to the common denominator of most modern compromises.

The good news is, more and more organizations are buying into the idea of running frequent, internal vulnerability scans against desktop environments. Even better news: Most commercially available vulnerability scanners now support authenticated scans that will identify delinquent patch levels of commonly attacked client-side software. Unfortunately, a large percentile of targeted malware attacks that we have seen in the past two years have leveraged flaws that were either previously unknown or for which no fix is yet available, and therefore likely effective against even the most heavily patched enterprise.

Further, automated internal VA activities against your desktop environments will inevitably fail to assess the adequacy of host-based intrusion prevention products and other factors that could make or break your ability to defend against the next targeted attack against your organization. In order to address this gap, an assessment approach is required that fully evaluates the multifaceted approach that should exist in order to fend off the increasingly sophisticated attacks of the present day.

In subsequent blog posts, I'll take a look at a few components that should be included within any scenario-based assessment whose objective is to evaluate your ability to withstand a sophisticated client-side attack.

Tom Parker is Chief Technology Officer at FusionX.

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.