Athanasios Nikologiannis, Labs Director at Obrela Security Industries provides security advice from a pen tester based on the most common security mistakes they encounter in their jobs
When people think about a career as a hacker, they will often associate it with something illegal, but today there are hackers on both sides of the fence. Those on the criminal side are constantly developing new ways to breach the digital worlds of consumers and businesses, and those that hack into businesses for good, to ascertain a business’s risk profile and spot weaknesses so they can be resolved and mitigated before the bad guys have a chance to exploit them.
The ethical hacking industry can be broken into three key categories: pen testers who are hired by organisations to carry out point in time security tests; bug bounty hunters who are registered on specific online platforms and perform focused security testing (usually on web/mobile applications) on a bounty per vulnerability basis; and red teams, who work in groups and are hired to act as the enemy or competitor of an organisation and test its security parameters, and provide feedback for improvements, with a specific focus on organisation’s detection and response capabilities.
Each of these ethical hacking groups play a vital role in keeping internet users and organisations across the world secure, and because of the seemingly adversary role they play, they can offer unique insight into the mindset of criminal hackers.
Ethical hackers can help organisations understand how attackers get in, what techniques they use to get past defences and, most importantly, utilise their knowledge of the common security pitfalls that appear within organisations in order to prevent cybercriminals from taking advantage of to break into systems.
So, what are the most common security mistakes pen testers continue to witness and how can they be addressed?
Cybercriminals understand no piece of software is perfect and that each tool businesses use online will possess vulnerabilities which can be exploited. They are therefore constantly on the lookout for unpatched vulnerabilities that can provide them with a foothold within an organisation.
It is critical that organisations apply patches to vulnerabilities as soon as they are released, because any gaps in applying them is an opportunity for a cybercriminal.
However, pen testers rarely find organisations that are fully up to date with all the latest patch cycles, and well-executed social engineering techniques tend to create nasty pitfalls for employees without proper security awareness training.
A golden piece of advice from all ethical hackers is to keep up to date with the latest patch cycles, as vulnerabilities provide cybercriminals with an easy loophole to get into systems.
Red teams will often carry out social engineering techniques on organisations, and one of the most frequent scenarios that catch organisations out is when they turn up at a physical office pretending to need access for a maintenance issue.
The red teams are often given access to offices without any security clearance or checks and when they are inside, they can essentially do as they please. This is a technique some of the bolder cybercriminals will use and it is one that is often overlooked by organisations, but its impact could be devastating. Having physical access to an office and its IT could allow attackers to install key loggers or spyware on machines to eavesdrop on all future activity, therefore creating significant security risks.
Verifying who a person is before giving them physical or virtual access to an organisation is vital and this needs to be reinforced to all employees, regardless of their authorisation level.
Not surprisingly poor password hygiene has created multitudes of headaches for IT help desks and pen testers alike. Whether it be reusing passwords across multiple systems and applications, using easy-to-guess passwords, or having passwords written on post-it notes stuck to machines, each instance could be the difference between security and a high-profile data breach. Pen testers face these security faux pas daily.
Cybercriminals know humans are lazy when it comes to passwords and using a brute force attack, or some low-level social engineering is enough to give them the keys to the kingdom. Pen testers therefore always recommend that their clients utilise the security benefits of multi-factor authentication and password management software (password vaults) to improve the security of passwords. The standard rules also apply – avoid easy to guess passwords, never write them down and never use the same password across multiple systems and applications.
Pen testers and ethical hackers are today’s defenders of the web, and they can provide unique insight into malicious hacker techniques, while offering important advice to improve defences. Organisations should take their advice on patching, social engineering and password management and apply it in the real world across their systems, otherwise it will not be long before they find their confidential data in the hands of the malicious hackers operating on the other side of the fence.
Athanasios Nikologiannis, Labs Director at Obrela Security Industries