It may come as a surprise to some, but larger organizations can be easier targets for cyber attacks than smaller businesses. Jack Viljoen explains why this is the case and looks at advanced cyber penetration testing and red teaming as tools that can be deployed to ensure that large organizations are better protected.
As any CISO knows, cyber risk is constantly evolving - and medium to large-sized businesses are prime targets for attackers. Several factors in the developing frontier of cyber risk continue to present new challenges to companies in 2023, and the methods used to test their resilience in the face of attacks must also keep pace.
Increased use of cloud technologies is one of these challenges. More and more organizations are migrating their infrastructure to the cloud, which poses new security issues for penetration testers, and shifts the scope of the potential opportunity for cyber criminals.
At the same time, mobile application security is now more of a boardroom topic than in the past. With the increasing use of app-based programmes for business teams out and about meeting and managing clients, mobile application security has become a major concern for organizations.
This goes hand in hand with the proliferation of IoT devices, which - while helping to create a far more accurate and timely picture of the world around us from a technology perspective - has also created new security challenges for organizations, with a myriad of new data streams connected to physical assets.
Social engineering attacks also continue to evolve as a staple in the cyber criminal toolkit in 2023, with increasingly sophisticated tactics increasing the chances of success, and putting strong emphasis on an organization's security awareness training and policies.
Then there are zero-day vulnerabilities - those new threats and vulnerabilities that are not yet known to the public or the vendor, but that may present a systemic threat to a business if exploited.
This is by no means an exhaustive list of threats, but it helps to set the scene for the evolving challenges that businesses are facing. And with access to sizable amounts of financial and personal data, it is hardly surprising to learn that medium and large-sized companies are high-value targets for cyber criminals in all the above scenarios and more. But what may come as a surprise is that these organizations are often considered easier targets than smaller businesses.
The reasons behind this are simple: A dependence on complex technology infrastructures – whereby multiple systems, networks, and interconnected devices are used – increases the number of opportunities that cyber criminals can exploit. Third-party vendors and integrations with ecosystem partners via APIs further increases risk, while large employee numbers increase the risk of human error, such as staff inadvertently downloading malware, opening a phishing email, or sharing sensitive information with unauthorised individuals.
A company's size can also cause delays when detecting and responding to a cyber threat, meaning attackers often go undetected for long periods of time. Combined with insufficient security controls, unpatched software, and weak passwords, medium to large-sized companies are sometimes seen as sitting ducks.
Testing your defences
The first step to cyber protection is to test security defences for any weaknesses that could be exploited by attackers. Penetration testing – a simulated real world cyber attack on a company's technology infrastructure, such as a computer system, network, or web application – can be a very effective tool for identifying a weakness before it is exploited by external threats.
The most effective penetration testing is conducted using Open Web Application Security Project (OWASP) methodology, which is widely used to meet certain regulations and standards around cyber security, including PCI DSS and HIPAA.
OWASP penetration testing typically involves a planning phase whereby the scope of the test is defined, including the specific applications and systems that will be tested, as well as the testing methods and tools that will be used.
Reconnaissance then involves gathering information about the target system or application, including the technologies used, potential vulnerabilities, and possible attack vectors. Vulnerability scanning will then deploy automated tools to scan the target system or application for known vulnerabilities and weaknesses, and the penetration testing team will then attempt to exploit any vulnerabilities discovered in the previous steps, using a variety of techniques and tools.
The results of the test are then documented, including the vulnerabilities discovered, the methods used to exploit them, and recommendations for improving the application's security defences.
The goal of OWASP penetration testing is to identify and prioritise security vulnerabilities and provide actionable recommendations for mitigating those vulnerabilities. And the benefits of this kind of actionable knowledge go beyond simply bolstering a business’s cyber defences - presenting actioned risk mitigation steps following an external penetration test can also help a business to secure more cost-effective cyber insurance.
Without demonstrating that robust cyber security systems and processes are in place, the chances of securing a cyber insurance policy in 2023 are effectively non-existent. Considering the average global cost of a data breach in 2022 was US$4.35 million, this stance from insurers is hardly surprising.
As an extra layer of defence, insurers can take their requirement for demonstrations of effective risk mitigation one step further by offering red teaming services to their clients. In a similar vein to penetration testing, red teaming allows companies to identify and remediate cyber security vulnerabilities, while also benefiting the insurer by reducing the risk of insurance claims.
Intentionly more disruptive to portray the reality of an attack in relation to business operations, red teaming is a security simulation exercise whereby a team of experts, known as the red team, attempts to penetrate an organization's defences and breach its physical security measures, such as access controls, cameras and alarms.
The red team's goal is to identify physical vulnerabilities and weaknesses in an organization's security infrastructure to demonstrate how these could be exploited by an attacker. The red team can also simulate realistic physical scenarios, such as a break-in.
Knowledge is power, as the saying goes, and services like red teaming are valuable to the insurance industry as it grapples to understand and quantify cyber risk by providing them with available data to help them better price risk and apply up to date wordings to their policies, which in turn will help ensure more accurate and cost-effective insurance coverage.
Deploying such cyber testing mechanisms, however, is not a one-off activity. This evolving digital landscape means cyber risks are constantly changing, and for anyone running a business, their cyber security measures must be evaluated and reviewed regularly, and software patches must be kept up-to-date.
At the same time, red teams and penetration testers need to have a good understanding of the changing tactics of cyber criminals and deploy the most up-to-date tools and techniques to fully test varying technology security measures and an organization’s security culture, awareness, and training policies.
When conducting penetration testing various techniques can be used to breach an organization’s security. One such technique is ‘pass-the-hash’, which involves stealing password hashes from a compromised system and then using those hashes to authenticate to other systems on the network. Advanced penetration testing tools like Mimikatz can be used to extract password hashes from a Windows system's memory and then use them to gain access to other systems.
Another technique is called ‘ARP spoofing’, which involves manipulating the Address Resolution Protocol (ARP) to intercept network traffic between two systems. This technique can be used to capture sensitive information, such as login credentials, as they are transmitted across the network. Tools like Ettercap can be used to perform ARP spoofing attacks and capture network traffic.
A real-world scenario where these tools and techniques might be used is in testing the security of a financial institution's online banking system. Attackers may attempt to steal password hashes or intercept login credentials to gain access to customer accounts and steal sensitive information.
Advanced penetration testing tools and techniques can be used to simulate these attacks and identify vulnerabilities in the system's security defences. By uncovering these vulnerabilities, the financial institution can take steps to improve the security of their online banking system and protect their customers' assets and sensitive data.
In the cat and mouse world of cyber security, it is almost impossible to stay one step ahead of the cyber criminals. But minimising the likelihood and impact of a cyber attack or data leak by finding, flagging, and fixing any vulnerabilities before they are exploited externally makes any business much less of a viable target.
Demonstrating the actioned results of penetration testing and red teaming to an insurer also makes a business much more likely to secure effective cyber insurance that will ultimately provide the financial backstop they require if the worst should happen.
Jack Viljoen is Head of Cyber at Prodinity Cyber Solutions- a trusted cyber security penetration testing partner with advanced capabilities that go above and beyond industry standards.