SecureState Blog

Read SecureState's award winning blog.

Assess Network Vulnerabilities, Before Hiring a Penetration Tester

Imagine your company just had a penetration test and the ethical hacking firm was successful in gaining access to your confidential data and/or systems. Not too hard to imagine, as it happens to companies all the time. You review the recommendations and fix the hole(s) they’d used to gain access, but what about the other vulnerabilities that the ethical hacker did not exploit?

The attacker may have found some “low hanging fruit” five minutes into the penetration test. Maybe a default admin password on a database? Maybe a service running in the production environment that still has the MS08-067 patch missing? Yea, they got in. They did the job they were hired to do, BUT, what about the other 45 vulnerabilities that they didn’t even attempt to exploit – simply because they had already succeeded in gaining access to your network? This is where vulnerability assessments come into play, and, if your organization is lacking in resources, aVulnerability Management Program may be the perfect service for you.Vulnerability Assessment before Pen TestVulnerability Scanning – Overall Picture

It’s 2013 and what is coined as a commoditized product/service, is still not being performed properly by companies. Sure, one year vulnerability scanner ‘A’ is the best, the next year vulnerability scanner ‘B’ is the best…you get the point, we have always had great vulnerability scanners, but why haven’t organizations used them to their full potential?

With the use of vulnerability scanners, a network will not necessarily be penetrated, but it will be “scanned.” Everything from software versions and default credentials, to potential denial of service vulnerabilities will be looked for. The entire network can be scanned in the same amount of time that it takes a penetration tester to exploit one or two specific vulnerabilities. I know what you are already thinking– scanners are garbage. I’ll admit scanners are not going to pick up some of the more sophisticated and complex vulnerabilities that a seasoned penetration tester can exploit. BUT, the scanner will give an organization a good overall picture of some the more easily exploitable vulnerabilities. If your multi-billion dollar company is going to fail a penetration test, at least don’t let it be by a penetration tester who just ran a scanner and found a default password on your Tomcat server’s admin console. At least make the penetration tester do a little bit of manual work. The longer the penetration tester has to work to gain access to your system– the longer you have to check if you can detect the attacks. Which leads to…your organization getting its money’s worth.

 

Vulnerability Assessment Finished, Now What!?

Your organization has completed a vulnerability assessment, now what? If there are extreme and high-level vulnerabilities, you need to find out WHY these vulnerabilities exist. Once you have performed root cause analysis, remediation is in order for these extreme and high-level vulnerabilities – BEFORE the penetration test. Is obsolete software being used? Are critical security patches not being applied? Maybe there is evidence that attackers have already accessed your network…forget about the penetration test, Incident Response might need to happen now. If these vulnerabilities are not addressed first, the penetration tester will most likely exploit the exact same vulnerabilities.

If you know systems are vulnerable due to system maintenance or delays on updates from the vendor, take these systems out of scope for the penetration test. The worst thing one could say to a penetration tester is “yeah I know you will probably get into that system.” What?! Really?!  Why would you have a penetration test performed on that system knowing it is vulnerable in the first place?

 

Conclusion

Get the most out of your penetration testers by making them work to gain access to your network. Have a vulnerability assessment performed before having an attack and penetration assessment. A sniper (penetration test) may be deadly, but a carpet bomb (vulnerability assessment) could be deadlier. Don’t misunderstand what I am saying – Penetration tests should still be performed. However, penetration testers look for “low hanging fruit” first. A penetration test should really be performed to “test” your security…not find holes. Only perform a penetration test once you feel confident that the attack would test the controls that you have implemented. The penetration testers care about getting in, why would they make it hard on themselves? MS-SQL server with blank ‘sa’ password, MS08-067, Default Tomcat credentials, JBoss Bypass – all low hanging fruit. A vulnerability scanner will not identify every vulnerability that an attacker could exploit to gain access to your network. By performing BOTH vulnerability assessments AND penetration tests you will get a more complete picture of the security weaknesses your network is exposed to. It should not be a case of either a vulnerability assessment or a penetration test. Do BOTH…in the correct order.