When we have something valuable we want to keep it safe and, if we have something that others consider valuable, we have to keep to safe. For physical security, we have locks and gates and giant armored trucks and friendly uniformed chaps with firearms. But what about stuff that’s not bound to the physical realm? No, not ghosts with cash (though that would be pretty cool). I am speaking here about data. Most of you know how to keep it safe. We use things like passwords, firewalls, and multi-factor authentication. But we have to make sure! Like, you know how when you leave a secure building and you jiggle the door handle a couple times to make sure it actually locked properly? You need to do the same when you secure data. How is that done? How can you confirm that the security features you have protecting your valuable data are actually doing what they are designed to do? Two words: Penetration Testing.
First things first: The term used in the IT industry for this is “pentesting”. If you’re like me (and who isn’t? ) you might take one look at that word and think ‘Oh, how clever. It’s a portmanteau of Pente (a board game invented in the 1970’s by Gary Gabriel) and Sting (lead vocalist for the New Wave rock band The Police who glows whenever Orcs are near)’. But, shocking as it may be, the term is actually just shorthand for PENetration TESTing. Pretty crazy right? Crazy or not, we are going to use that word from here out so I guess you need to get used to it.
In short, pentesting is the process of trying hack your own systems. The goal is to see if you can get through the security that is already in place and, if you can, take whatever action is required to prevent (or at least mitigate) that risk in the future.
For smaller organizations hiring a professional security firm for this may not be practical. But the good news is, most of the basics can be done for free with minimal effort. Though the easy-and-free options won’t explore every conceivable weakness, it will cover the ones most commonly exploited by the ne’er-do-wells out there. Essentially, it’s the cyberspace equivalent of ‘jiggling the door handle’ of your data.
The #1 thing to remember: ABC: Avoid Confirmation Bias.
(I know it’s really an ACB rule ‘Avoid Bonfirmation Cias‘ doesn’t make any sense at all)
Point is, don’t assume your systems are secure and just look for ways to support that assumption. Rather, try and get into the mindset of a potential bad guy, if you must make assumptions, assume the entire IT staff (including you) are dangerously incompetent and all your users are easily duped. With that attitude, you will have the best chance of finding something worthwhile!
Here are a couple of basic things you can do to pentest your own systems:
Test Users
- Phishing (see if your users are able to resist clicking on every single link they see)
- Send an email from your corporate account to everyone in your organization saying something like:
“Tomorrow morning you will get an email.
The email is being sent for security testing.
The email will NOT come from a company address.
Do NOT click the link in the email!” - The following morning, use a non-corporate account to send an email to the same people
(the site www.wasitviewed.com is great for this — and free!) - The email should clearly state that this is the testing email you mentioned earlier, but also actively encourage the user to click the link:
“This is the security test I told you about yesterday.
Click HERE to see if you passed!”
(the testing link would be attached to the word ‘HERE’) - Wait a couple of days and tally the results. Any user who clicked the link is a weakness for phishing attempts.
- Send an email from your corporate account to everyone in your organization saying something like:
- WIFI (see if your users will connect to any wifi network, no matter how suspicious)
- Use a wifi hotspot to create a new wifi network with open access (no password). Give the network an SSID that will clearly communicate to anyone that it is dangerous (e.g. “Hacker Central”, “Malware Delivery”)
- Your hotspot app should report how many devices connect and include the name and/or MAC address of each.
- Contact the users to which these devices are assigned and make sure they know how dangerous it is to connect to any open network they see (note that their device may be set to do this automatically, in which case it’s not their fault!)
Test Unexpected File Availability
- uPNP (uPNP can be a serious security hole for a corporation)
- From a corporate system, use an app like VLC, BubbleuPNP, Windows Media Player to look for any ‘Shared Libraries’.
- Wait 30-90 seconds and see if anything appears on the list.
- If so, find those systems and disable anything related to the uPNP or (for Windows) the ‘Homegroup’ feature.
- This can be particularly scary if users put things in their ‘My Music’ or ‘My Videos’ folders like recordings of internal meetings or unreleased marketing videos.
- Search Engine Indexing (if a search engine bot can see it, so can anyone else!)
- Do a Google search specifically for something that should never, ever be publicly visible. (replace information in brackets with own and make sure to include any quotes or asterisks in the string):
- Any corp web server with index browser enabled:intitle:index.of site:*.[corporate domain]
- Any corp web server being indexed by IP instead of domain name:site:[IP that shouldn’t be publicly reachable]*
- Any direct file link being indexed by Google (by file extension; add as needed):allinurl:[corporate domain]+(|doc|exe|zip)
- Here’s a decent reference for even more Google query syntax:https://support.google.com/websearch/answer/2466433?hl=en
- To be extra thorough, you do the same with Bing and Yahoo. Just keep in mind that each search engine uses different query syntax.
- Bing syntax:
https://msdn.microsoft.com/en-us/library/ff795639.aspx - Yahoo syntax:
https://help.yahoo.com/kb/SLN2242.html
- Bing syntax:
- Do a Google search specifically for something that should never, ever be publicly visible. (replace information in brackets with own and make sure to include any quotes or asterisks in the string):
Those couple of things should get you off to a good start. I know that the companies I have worked with in recent years were amazed (read: horrified) by just how much of their proprietary information was just sitting out there on Google because someone, somewhere copied to a server that was open to the outside world. Humans make mistakes and we have to plan accordingly.
Always Jiggling the Handle,
Mike
