An effective internal Penetration Test - There is a difference between a vulnerability scan and a penetration test, where security is an on-going process.
"My servers are all fully patched, and we've fixed the weak administrator password that the last guys found. So I don't really expect you to find anything!"
The previous statement, paraphrased slightly, was delivered to me by the onsite IT manager during an internal penetration test a while back. Apparently, this was their third penetration test, the first one had picked up a number of default device passwords and identified multiple missing patches, (something an automated vulnerability scan alone could do), and the second had apparently consisted of a couple of guys plugging in their laptops, going for coffee, and then handing over the built-in "Administrator" account password.
I have already made my views on the difference between a penetration test and a vulnerability scan perfectly clear, and firing up your favourite traffic sniffer or MitM package while you go and make some coffee is a perfectly valid attack strategy, so I will gloss over these.
My real concern though was the several things wrong the statement above. First of all, the IT manager seemed to be of the opinion that a penetration test consisted of running some tools and brute-forcing or intercepting the built-in "Administrator" password, and secondly, the IT manager did not seem to appreciate that security is an on-going process which touches all aspects of an organisation. Patching your servers and setting a complex "Administrator" password are good starting points, but they should never be the final goal.
Just for those of you who are curious, my colleague and I obtained "domain admin" level access in approximately two minutes, and during the 4 days we were on-site we identified at least six different ways of obtaining this access with no prior knowledge or access-rights in a similar period of time, ten ways with some internal knowledge, and around fifty ways of accessing highly classified data which was entirely inappropriate to the user level provided (equivalent to an office temp). All of these attack mechanisms featured one or more of the following:
- Weak passwords – for individual accounts, service accounts, and devices
- Insufficient access control – do HR really need access to the system backups?!
- Sensitive information leakage – passwords in user account descriptions
In fairness, the servers were fully patched though!
Finding one or two critical issues and putting some scan results in a report is not an effective penetration test. As highlighted above, there can be many attack vectors leading to control of a network or system, or access to sensitive information with little or no accountability.
As security professionals I also believe that we have a responsibility to not only identify technical vulnerabilities and offer technical solutions, but we should also be educating staff, so that information security is treated as a fundamental component of every business process, and we should be empowering businesses to solve these problems themselves.
To paraphrase the well-known quotation – "Tell an organisation that three accounts have poor passwords and they will change those passwords. Teach them to use FGDump and Cain and present them with a half-decent password dictionary and they will change every password."