Just when you think you’ve got yourself all covered on the security front, an attack comes out of nowhere and bites you on the arse. You think to yourself: How did I not see that coming?
That’s where penetration testing, or ethical hacking, comes in. The idea is to get a third party to think (and act) like a hacker to test your organisation's resilience to attack.
And the stakes are high, says Hacklabs senior consultant Jody Melbourne. “Nobody is concerned with targeting websites or going after your database – that’s old,” Melbourne says. “The real bad guys are trying to steal your IP, your business intelligence or business information. [The criminal] is going after you internal network.
"You make a lot more money if you find out that large corporation A is about to acquire large corporation B in a few months, for example. If you hack some board members of a large corporation and find out all of their secret information, read their emails, then that is far more serious than stealing credit cards.”
Melbourne has been employed by both private sector and public sector organisations to test their security, with sometimes alarming results.
He said he's found it "frustratingly easy" to just walk into many organisations. "I just wave my hand and say ‘I’m walking in here, it’s fine’ and walk straight in," Melbourne says. "I’m wearing the right clothes, I’m confident, and I look like I’m supposed to be there.”
All it can take then is swapping out a desk phone for a tampered-with handset of the same model. “I plug in a device behind a phone; or I swap out the phone entirely for the exact same model and say ‘I’m here to change the phone, there’s something wrong with it’ and the receptionist says ‘OK’."
"That whole network and organisation is compromised with a spy phone that I was able to make for $50," Melbourne says.
Melbourne gave another hypothetical scenario for compromising a network — a hacker dressed like, and acting like, a regular employee just strolls in and connects a Wi-Fi or 3G dongle to an organisation's network.
“[Then] I’m sitting in a hotel room 500 metres away with full access to your internal network reading your executives’ emails," Melbourne says. "That’s the landscape now."
A network could be compromised with just $100 worth of innocuous-looking hardware that most employees wouldn't even recognise as a threat.
Melbourne said that when engaged by a government department to test their security he was able to compromise the entire agency after gaining access to a computer on its network – with no special tools required.
“A business insider at a corporation might only have mediocre hacking skills, but might actually guess the password of the CEO and get access to all of that information," Melbourne says.
"That’s far more devastating to an organisation than the most advanced hacker in the world sitting inside that network who has absolutely no business experience, doesn’t know anything about the corporation.
“The hacker could get access to all the corporate documentation, all of the board members, meeting minutes, all kinds of internal IP and emails. But the hacker doesn’t know how the business works so he/she doesn’t know what is valuable and what isn’t.”
Daniel Cabezas, head of security testing at an Australian financial organisation, says that when he does test email campaigns, he still finds many users clicking on links, downloading files or installing untrusted applications.
"We are doing security awareness courses, but whenever we do testing by sending ourselves email campaigns, there’s still more percentage of our user base who click on things," he says.
One issue that security teams have to deal with is that hackers are also not necessarily looking to directly break into a company's systems. Cabezas says they may have more success in hacking a personal computer of an employee to find business information or a work password or account.
"If the malware is trying to target the users at their homes, the reality is that I don’t have that many security controls in my laptop at home. So [criminals] are most successful attacking the home laptop of the users to try and get information about the company they work for. They go to LinkedIn and look for potential employees from the company to attack their personal laptops."
The rise of bring-your-own device (BYOD) schemes – under which employees can use their own smartphones, tablets and notebooks for work – and an emphasis on flexible working only further complicate the situation.
Cabezas says that there's usually a struggle to balance user demand for new technology with security.
"We have to determine what the risk of [introducing] the new technology is, but our users are already asking us to implement it," he says.
"You might have a very functional, well-defined application, and you might think ‘it works the way we expect it to’. But what happens when somebody finds something unexpected?
"Criminals don’t work for X hours a day and then go home. They keep working during the night, during the weekend and they just have to find one hole. So you have to think the way they do. You might say ‘this vulnerability is really difficult to exploit’, but they will take the time and whatever the means to exploit it."
Pentester’s toolbox
Many of the tools used by pentesters to assess an organisations' vulnerability to attack are freely available. Here are six of the most commonly used.
Metasploit
The Metasploit Framework can be used for both discovery and execution of vulnerabilities. The open source project bills itself as the "world's most used penetration testing software". The current version is 4.9.3, released in March this year. There's a non-free 'Pro' version edition based on the freely downloadable 'Community' edition
Burp Suite
Burp is a platform for testing Web applications. It includes a proxy for monitoring traffic between your browser and a website, a scanner for vulnerability discovery, a tool for testing the randomness in an application's session tokens, and 'Burp Intruder' for "automating customised attacks against Web applications, to identify and exploit all kinds of security vulnerabilities".
Phishing Frenzy
Phishing Frenzy allows pentesters to manage email phishing campaigns. The tool, built using the Ruby on Rails Web framework, allows campaign creation and execution. Phishing templates can be backed up, restored and shared.
John The Ripper
John is an open source, multiplatform password cracking tool. It is able to identify the type of hashing and can use a variety of methods to determine a password.
Nmap
Nmap is open source tool that can be used for mapping a computer network, identifying hosts and services. Scan types include SYN Stealth; FIN, Xmas, Null; UDP Scan; IP Protocol Scan; ACK Scan; Window Scan, and more.
Wireshark
Wireshark is an open source network packet analyser. It can be used for network troubleshooting, analysis, and software and communications protocol development, but pentesters essentially use it to eavesdrop on an organisation's network traffic.