Jerome Smith, penetration tester and ethical hacking training instructor at 7Safe, part of PA Consulting Group, invites you to ask the big “what if?” question.
In recent years we have become used to seeing organisations, big and small, suffering breaches of security. From LinkedIn to Twitter , if the prize is rich enough, size is apparently no obstacle to attackers attempting to get what they want. For a subset of these attacks, the level of sophistication is on the up too. The wider IT community is only just beginning to get a handle on how rich the market is for zero-day exploits.
To quote from Symantec’s 2012 report on the continuing series of attacks that began with the Aurora malware in 2009, “the group [of attackers] seemingly has an unlimited supply of zero-day vulnerabilities”. Zero-day exploits tend to be reserved for targeted attacks but even when this is assessed to be unlikely, there’s another important threat to consider. When a vendor announces a critical vulnerability and patch, a race begins between exploit writers and system administrators. The “time to exploit” (that is, the time it takes from vulnerability disclosure to an exploit being developed and used in the wild) is generally a lot faster than many organisations’ patching cycles.
A 2012 survey of IT professionals showed that 47% were deploying a patch over a week after it had been vetted. This year, however, an Internet Explorer vulnerability patched on 12th March was seen to be exploited in the wild on 16th March – and, of course, that’s not to say it wasn’t active earlier . Taking a longer view, a 2012 report showed that from a set of exploitable vulnerabilities disclosed between 2008 and 2011, 42% were being used in attacks within 30 days of public disclosure. (Interestingly, the same report found 11 previously unknown zero-day attacks, concluding that “there are many more zero-day attacks than previously thought”.) Never before has it been more important to think the unthinkable: what if an attack succeeds?
Answering this question is what makes the new cyber security standard PAS 555:2013 so different. This is because PAS 555 (in whose development PA Consulting Group was instrumental) does not dictate how an organisation should run its IT security, it focuses on outcomes and lets organisations make their own decisions on how best to proceed. For example, continuing on the theme of this article, an organisation should identify attack scenarios and perform a risk assessment around each one. To quantify risk, the assessment will naturally consider the defences in place that could thwart the attack at any stage, producing a view akin to a security contour map. An organisation could opt to test the effectiveness of these defences by, for example,a “second-level” penetration test – that is, a test that starts from the assumption that a first-level defence has been bypassed.
This type of penetration test is not widely considered. First, let’s be honest, the reality is that such testing is often not required to tick the boxes necessary to achieve the minimum level of legal and regulatory compliance. Second, penetration tests are traditionally
categorised by the amount of knowledge the tester has of the target system – for example, “white box” (full knowledge) versus “black box” (no knowledge). Maybe that’s because the level of initial access is often zero, the most notable exception to which is the “internal”
penetration test, when it is implicit that the tester has physical (or virtual) access to the system (and possibly credentials to go with it).
There’s no reason, however, why an external test could not start from some agreed and configured position of access. A common occurrence of this is a test of an administrative portal that is normally restricted by IP address but with more imagination such a test could offer so much more.
Consider, for example, the scenario of a compromised web server. Attackers often leave “web shells” behind in such cases – a page they add to a website that allows them to run commands on the server from across the internet. A second-level penetration test could start with a web shell in place for the tester to see what access could be achieved should such an attack ever succeed. This would obviously require careful configuration so that the web shell would only be accessible to the tester but this can be achieved with simple technical measures. Such a test would assess the effectiveness of the organisation’s layered defences and the report would include recommendations for improvements where necessary.
Following (or in parallel to) this, the organisation could consider a breach of further defences in the same scenario or move on to consider a different scenario altogether – all dictated by the priority it assigns to them.
Of course, what this all adds up to is a concept that is already very familiar to IT security practitioners: defence in depth. All organisations employ this to some degree but what is often lacking is a systematic test of its effectiveness. Within the IT security community, attitudes have
shifted: while a security breach no longer automatically stigmatises an organisation, questions such as “what was the attack path?”, “what could have been done to reduce the impact?” and “how responsible and effective was the incident handling?” all influence the final verdict (and the wider press may not be so forgiving).
Any organisation with a mature security regime should be considering the big “what if?” question and 7Safe, and PA Consulting Group as a
whole, is perfectly positioned to help answer this question by assessing, testing and strengthening your organisation’s defences to prepare for such an eventuality. As the old saying goes, hope for the best but plan for the worst.
 A “zero-day exploit” is an exploit that is being actively used in the wild against a vulnerability that is not in the public domain. Some definitions extend this timewindow to the point at which a patch is released.
 CVE-2013-1288: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1288
 One possible contributing factor in this instance is that it was reported that an exploit was inadvertently created as part of an
exploit for a different vulnerability (https://community.qualys.com/blogs/laws-of-vulnerabilities/2013/03/12/march-2013-patch-tuesday). Nonetheless, while it was in the public domain, at the time the patch was released Microsoftwas not aware of any active exploitation [footnote 7]
 A previously unknown zero-day attack was identified by historical analysis showing that malware was exploiting a vulnerability before
the public disclosure date, at which time the vendor was not aware of any active attacks.
 The widely recognised Open Source Security Testing Methodology Manual (OSSTMM) also
considers the level of knowledge the target has about the test.
Author: Jerome Smith, 7Safe Penetration Tester and Ethical Hacking Training Instructor.
To find out more about how 7Safe can help protect your data against cyber threats through advanced penetration testing, contact us now.