— Case Study: Penetration Testing
Confidential Client — Large Technology Manufacturer
A major technology equipment manufacturer knew that they were vulnerable to some degree to attacks and intrusions via their externally facing perimeter as well as from possible exposures in their wireless environment. Despite this knowledge, the company had no way to assess and size the potential risk in order to properly address it. Moreover, the business impact of the vulnerabilities was not well enough defined to substantiate and justify a remediation initiative. Therefore it became imperative to assess vulnerabilities and develop a business rationale for taking action.
Based on its bench of highly recognized penetration testing experts, and years of experience conducting pen-tests and security assessments on a multitude of different client environments, IANS was selected to address the challenge. IANS chose to leverage the Penetration Testing Execution Standard (PTES) methodology for this assessment and began by attempting to gain access to multiple avenues and increasing the sophistication level of the attacks over a period of time. Once the testing was completed, IANS delivered an extremely detailed report that gave the organization risk ratings, and strategic and technical findings with remediation instructions.
Strategic & Technical Findings
IANS identified systemic exposures during the penetration test that indicated security program flaws within the organization. IANS laid out recommendations to resolve these strategic findings to ensure technical flaws would not reoccur. As a result, the manufacturer now has a comprehensive strategy for understanding their vulnerabilities and a clear path to justify remediation. These findings included improvements to the company’s Incident Response Program, full deployment of a Vulnerability Management Program, and further development of Hardening Guidelines. The findings also revealed the most commonly attacked ports based on frequency (Refer to figure 1 for a chart of past engagements with IANS)
Figure 1: Most Frequently Attacked Ports
IANS included detailed technical recommendations as well. following the longer-term strategic recommendations will ensure that the objectives of the security program are met in the future. The technical findings represent a point in time and can change based on environment or new techniques from the hacker community. The following are a sampling of the type of findings that were included in the report:
Monitoring and Detection Enhancements:
A review of the company’s incident response program helped to determine areas of improvement. for example, the ability to identify what level of access existing attackers had established was lacking. This included a triage of the results and alerts utilizing a Security Information and Event Monitoring System (SIEM) tool to better build use cases for how to proactively defend against future attacks. IANS created a diagram of a standard SIEM flow, incorporating high risk areas for the organization to prioritize.
The testing revealed the need to deploy a comprehensive vulnerability management program that accounts for
all aspects of the network, operating system, and web application layers. The program should focus mainly on reducing vulnerabilities while ensuring the incorporation of systems into the standard security process.
IANS recommended that the manufacturer develop security-hardening guidelines for the organization to ensure that certain controls are in place when a system goes into any type of infrastructure. This includes frequent patch management, disabling default usernames and passwords, and ensuring unnecessary services or ports are disabled.
SQL Injection vulnerabilities were found which were possibly due to improper sanitization of user input and lack of use of parameterized queries. To remediate SQL Injection, confirm that all SQL statements utilize parameterized queries/ prepared statements.
IANS found that certain URLs/Parameters did not properly sanitize input before returning it to the client’s browser, resulting in a non-persistent XSS attack. In the current state, this was not fully exploitable because there was no parent window to handle the response. However, user input should be treated as malicious and should be properly checked and sanitized before returning to the client’s browser.
Phishing Through URL Redirection:
IANS found an un-sanitized input field on certain websites which allows attackers to redirect any user to a malicious website. The recommendation is to ensure that if a redirect is necessary it only redirects to whitelisted sites or only to sites of the same origin.
Default Apache Installation:
A default installation of Axis2/Apache was identified with no hardening applied, allowing an attacker to use the information on the system to gain additional information about the operating system. IANS recommended removing unnecessary files and harden default installations.
HTTP Response Splitting:
IANS’ testing revealed applications that did not properly sanitize user input, thus allowing for an HTTP-Response Splitting Attack. for this specific issue any URLs that contain any redirection code, must be properly sanitized and escape any input before returning it back to the browser.
Verbose Error Handling:
IANS found affected hosts handle errors return information, allowing an attacker to have a better understanding of how these applications function. To remediate this, ensure that all errors within the application are handled gracefully and only return vague error messages to the user.
IANS measured the current risk using a scale between one (low risk) and four (critical risk). The risk rating is weighted based on the complexity of the attacks, the time needed to gain successful access, and the overall controls framework within the organization. The basic criteria IANS uses to calculate risk is “Exposure + Impact + Likelihood – Countermeasures = Risk”. While the results for this specific client yielded a lower risk score, the importance of this practice is tightly linked to impact on the business. In this case, intrusion vulnerabilities revealed the potential for key intellectual property to be accessed and stolen. Security assessments, therefore, are particularly important within tightly contested markets where any technological advantage equates to business advantage. Hard-fought patent and copyright battles may be won within standard business processes, but can just as easily be lost through corporate espionage and the realities of global competition.