Effectiveness of cybersecurity penetration testing depends on what you penetrate
"We get to do all kinds of really interesting, often nefarious things. Our job is to think like the bad guys do, and to try and break in," said Rob Olson.
A big part of cybersecurity planning involves penetration testing. That in turn requires management of the thousands, sometimes hundreds of thousands, of end-point devices on your network. Each one can be a source of unwanted network penetration. The Federal Drive with Tom Temin discussed this in detail with the lead penetration tester for the department of computing security at the Rochester Institute of Technology, Rob Olson.
Interview transcript:
Tom Temin In addition to teaching students about penetration testing, what does a penetration testing person do all day?
Rob Olson Yeah, So we get to do all kinds of really interesting, often nefarious things. Our job is to think like the bad guys do, and to try and break in. And then, obviously we get hired by a company to come and break in, and then we give them a nice report that tells them how we broke in, assuming we did. And how they could stop us from doing the same thing again.
Tom Temin And I think there’s an implicit assumption on too many people’s parts that because phishing has become the major cybersecurity vector and that’s something you voluntarily click on, that old fashioned hacking and break in has somehow diminished, but probably has not, has it?
Rob Olson Honestly, it has actually a little bit. So I do agree that over the last, let’s say, five years or so, phishing has been the dominant vector. And as we’ve seen, security controls like two factor authentication being deployed, that has really actually done a pretty good job at cutting down on the number of hacks that have happened. Hacks are still going to happen through other kinds of means, that’s probably never going to go away. But what we generally see is that threat actors operate under the same sort of challenges that everybody else does. For many of them, this is just a job and they’re trying to do their job as quickly and as easily as possible. And a lot of times that’s phishing. But if that vector doesn’t work, they’ll try something else.
Tom Temin And do you consider something successfully happening through phishing as also a penetration, and therefore comes under the general umbrella of penetration testing?
Rob Olson Yeah, absolutely, 100%.
Tom Temin All right, then let’s talk about endpoints then, because everything ultimately starts with an endpoint. And what’s the leading, I guess, technique for penetration testing and for penetration prevention these days?
Rob Olson Yeah. As far as stopping me, really, there’s a set of well known best practices at this point. Cybersecurity is not the Wild West anymore. That’s something of a controversial opinion to take, which I can probably do because I teach at a university rather than being in industry. I can take some of these perhaps less popular opinions since I don’t have to worry about selling my products. But we know how to do security pretty well in a lot of scenarios. And that’s not to say that everyone’s going to be the same, but we know what generally speaking best practices are. We know what kinds of things work pretty well to harden endpoints. The National Institute for Standards and Technologies (NIST), they have well-documented best practices that if you follow them, you’re going to be in pretty good shape. This isn’t 2015 anymore. Antivirus software is pretty good, and as someone who writes malware, Red team for student competitions volunteer to do routine for student competitions where we’re trying to emulate nation state threat actors. So I kind of write some of our bespoke malware for those events. The first thing we do is make sure that we nuke any antivirus software on those systems. Endpoint security is pretty good these days, and as long as you’re following those best practices, you’re going to be in pretty good shape.
Tom Temin And the best practices for endpoint security itself, then how would you characterize those?
Rob Olson Yeah, there is a robust list, probably more that we can get into in the time frame of the show. But, making sure that you have software installed on all your endpoints, making sure that is being logged and that those logs are actually being reviewed by security operations center staff. Those are really the things that are going to make sure that things get stopped. And oftentimes, even if something gets through, because no security is going to be ever be 100% perfect ever in the future of computers, we’re never going to get to 100% perfect defense. But 99%, 98%, yeah, that’s probably going to be something that’s eventually achievable through what we call defensive depth, where even if we get past the two factor authentication, the antivirus will stop here. Even if we get through the antivirus, there will be something else that stops you. The security analysts will see something weird happening and they’ll raise the red flag that system needs to get quarantined. So what really matters is having layered defenses and having good processes around the management of those defenses.
Tom Temin We’re speaking with Rob Olson. He’s the lead penetration tester and lecturer for the Department of Computing Security at the Rochester Institute of Technology. And having all of that in place, do you also need to limit what people have for applications on endpoints? Endpoints used to be considered pretty much synonymous with mobile phones and smartphones. But really endpoints are you could define as anything on a network that’s connected.
Rob Olson Yeah, So we do need to limit access to often those devices. In fact, one of the reasons why you don’t see as much stuff happening on mobile phones these days, is because they are pretty locked down onto the box. But we do have to make sure that we’re hardening those endpoints. And that does sometimes mean that users might have to go through their tech support mechanisms in order to get the access that they need to do the task. So there’s good reasons why you can install software on your machines and you have to ask someone else to do it. There’s really good reasons why you should not, let’s say, root or jailbreak your mobile phone. This gets really interesting when we start talking about like Internet of Things devices, because there’s a little bit more variance there in what information can be collected off of those, how you can access and how you can control them. Usually the recommendation is to try and like limit those kinds of devices, like perhaps a smart TV, which is, I imagine, the kind of thing you would see most off the kind of the thing you would see most often deployed in an office environment is one of these smart TVs, and have those kinds of devices on their own little portion of the network that is really tightly controlled and really tightly monitored. But even then, there are some really interesting problems associated with privacy around those kind of devices. So we’ve seen smart TVs, for example, that will essentially take screenshots of whatever it is you’re viewing and then send them home for data analysis. That’s just a part of the way that smart television works. So thinking about those challenges moving forward, that’s probably going to be a little bit of a harder problem. But anyways, we’re in pretty good shape.
Tom Temin And most of the world operates in some fashion wirelessly now, especially with mobile endpoint devices. But at the same token, everything eventually has to go on to copper or fiber to be processed and analyzed and whatever the end product desired would be. And there are techniques for monitoring what’s going on, eavesdropping on metal wire, but also on optical cable too. And you can see the behavior of photons to know whether someone is eavesdropping. Is that part of your work, and is that part of something organizations, agencies, companies need to worry about?
Rob Olson So really, when we talk about how an organization should design their security controls, we talk about making sure that those organizations are developing a threat model that is appropriate for them. It’s not feasible for everyone to worry about every single possible threat. So like I for example, I’m not real worried about a foreign government trying to target me. I’m just not that interesting. Maybe I shouldn’t say that on the radio, but I’m just not that interesting. No one’s going to come after me. Federal employees, might be different scenario. So when we think about the kinds of attacks that are associated with this, something like hard tapping an optical cable is a possible, probably it’s a little bit outside of the kind of work that I regularly do, but that’s probably going to be a major investment for some some threat actor. And if it’s your corner coffee shop, should they be worried about something like that? No, probably not. Now, there are some places where we have seen interesting threat vectors that don’t necessarily apply anymore. So one of these is there’s always this sort of conventional wisdom that if you’re on public wifi, you should always be using a VPN. And that’s something that ten years ago, 15 years ago. Yeah, absolutely, 100%. And the reason for that is a lot of traffic on the on the web was not encrypted at that time, but it is encrypted now. So most of the time that VPN, it’s not a bad thing to have. But if you’re paying for it out of pocket or something and you’re looking to cut some costs, I don’t know if it’s really as necessary these days.
Tom Temin And earlier you mentioned that you do some work for companies and present them with reports. What is it that you present to them that usually makes their eyebrows go up to the top of their heads?
Rob Olson Usually what we’re able to do is find their dirty little secret that’s hiding somewhere on their network. There’s this sort of one problem, and once we’re able to find that, we can sort of move throughout their entire network. There’s usually that one little entry point that gets us the thing that we need, and we’re able to from there leverage that into some sort of larger access. That’s one thing is just finding that tiny little thing that’s going to let us in to get the keys to their kingdom. The other thing that often surprises companies is that we come in and we look. We’re essentially a fresh set of eyes. A lot of the value that we provide through penetration testing is in providing is looking at the network as someone who’s who doesn’t use it every day. So we look at this environment, we say, I see why you’re doing this, but have you ever thought that it might be a problem that you’re doing something this way for reasons X, Y and Z? We’re essentially a fresh set of eyes. And just to give an example, imagine that you’re, let’s say, in a hospital a problem that hospitals have to worry about reasonably these days are mass shooter situations. So many have panic buttons. And a lot of those sort of panic button systems have computer technology and network technology underlying. So many of those have access panels like, let’s say, web based access panels that people can get to. And it’s important that people can get to them in a very timely fashion in the event of an emergency. But at the same time, if you don’t have like a login portal, if you add a login portal to that, it’s going to slow people down in the event of an emergency. But if you don’t have a log in portal, any one on the network can call the cops. Like there are these really interesting problems that folks they think about the problem in one way, and they haven’t considered it from a fresh perspective.
Tom Temin Yeah. It’s almost like having a pull lever on the wall, and people are socially engineered and understanding don’t pull that thing. But the people that would pull a cybersecurity stunt don’t have those constraints.
Rob Olson Exactly.
Tom Temin Well, then you can never let your guard down, basically, no matter how good cybersecurity gets.
Rob Olson Yeah, that said, I’m going to go back to what I previously said, and say yes, but consider your threat model. Most of us aren’t that interesting, perhaps for your particular viewing audience, we might have people who are little bit more interesting than the average person, but the cost that goes into cyber attacks is not trivial. We’re kind of past the days where we’re getting past the days where attackers are able to really, like attack things on a massive scale. It’s not the case where it’s really easy to, let’s say, scan the Internet for a particular vulnerability and exploit that one vulnerability in the way that it was, let’s say five or 10 years ago.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED
