In this part of our interview with Tom Eston we’re discussing today’s down-to-earth and most relevant enterprise security issues from a pen testing perspective.
– You say that accounting systems are frequently overlooked by penetration testers. Why?
– Accounting systems are overlooked by penetration testers because the tester doesn’t know where they are located on a network or they don’t understand where sensitive financial information is stored in a database. Penetration testers typically attempt to gain access to personal information (SSN, date of birth), credit card numbers and proprietary data to the company.
– Have you ever found any evidences of real accounting frauds during your pen tests?
– Not during penetration tests but we’ve worked with organizations that have been breached through financial fraud.
– From your pen testing experience, what type of organizations are less protected now, big ones or small? In what industries? Can you draw a hypothetical portrait of a less protected organization?
– All organizations big and small and across all industries have security problems and breaches. From my experience if a company becomes a target they will eventually get hacked. Attackers have the luxury of unlimited time and in some cases unlimited resources. An example of an organization that would be less protected would be a company who chooses to ignore the fact that they could be a target. Defense in depth, basic security controls, and how a company responds to an incident are more important than ever.
– From your experience as a government contractor – how often do security problems with accounting systems occur among government organizations?
– When it comes to security within the Federal Government it is a general rule of thumb to assume they are 3-5 years behind the commercial sector. So if this is a problem in the commercial sector, it is a problem within the Federal Government. There are a variety of reasons the government is behind commercial from a sheer monetary/investment standpoint, bureaucracy and change management as well as slow adoption. The other issue is what are the ramifications for the Federal Government if they suffer a breach? Typically no one gets fired, there are no fines… there is really no incentive for increasing security. In fact in most cases if a Federal Entity has been breached, they typically get an influx of budget/money.
– As we know most often people are the weakest part. Doing pen testing, how rare or often do you see that people do not click on stuff, use good passwords, encryption and keep their social life private and mouth shut? Have you come across organizations where all employees were perfectly trained not to fall pen testers’ tricks?
– No, I haven’t encountered an organization where users were perfectly trained from a security awareness perspective. I have however seen improvements with a solid security awareness program in place. Typically, good penetration testers have the same “tricks” that the real attackers do. To develop these tricks it requires creativity and the ability to think like a real hacker.
– Aside from human factor, from your experience, please list top 3 high-risk technologies companies overlook or implement incorrectly?
– My top three include mobile devices and applications, web applications to include the associated network infrastructure and social media risks.
– Seems like pen testing is a quickly growing niche. Many former white-black-grey hats are launching their companies and start providing pen test services, what do you think of such tendency? From your experience how often PTES compliance is met?
– There is a lot of demand for pentesting services, hence the reason some pentesters decide to start their own businesses. I don’t have statistics on how many pentest firms follow a methodology like PTES, however, SecureState follows PTES as well as other industry accepted methodologies depending on the assessment being conducted.
– If a company has a small budget and is mostly under the security poverty line, in your opinion, what is the single most important step they should take not to get breached?
– There isn’t one thing that a company can do to be secure. It requires a lot of little things to meet a certain comfort level of security posture. Even if you do everything right you can still get hacked. I would have to say basic security awareness with a focus on passwords and phishing, change defaults, limit exposed services and/or baseline all systems is a good start. Unfortunately, nothing is 100% secure.
– Have you tried Social-Engineer Toolkit? What can you say about it or any other such kits?
– Yes, we’ve used it. Open source tools like SET are very valuable from a penetration testing perspective.
– We found that SecureState does some subcontracting for government. Is it hard to get such contracts and what interesting work do you for NASA, Department of the Army or other government entities?
– It is not easy to get subcontracting work for the government. This is due to the procurement process within the government, the sales cycles are extremely long and strenuous. The type of work that SecureState performs for federal entities is very similar to the work we perform for commercial organizations. Our work is specifically focused on helping organizations work from their Current State to their Desired State of security through the implementation of tactical and strategic processes that increase their security while decreasing the amount of risk they accept. This is done through a variety of services from penetration testing and vulnerability management to compliance program development and incident response.
Read previous: A Security Aficionado – Interview with Tom Eston