Saturday, December 21, 2024

Tech News, analysis, updates, comments, reviews

Failing the pen test

When it comes to computer security and physical security, “people don't like to be challenged under any circumstances,” says one penetration tester.

Ideally, a penetration test gives the client confidence about their defenses. That could mean anything from staff identifying an intruder before they can gain access to a server room, to ensuring nobody gives out sensitive information to a phisher.

But in practice, expert pen testers say those defenses are rarely as effective as they should be. Instead, they say, most organizations are completely unprepared for an attacker with a rudimentary knowledge of basic social engineering techniques. The prospect of someone unauthorized so easily gaining access to secured areas doesn’t bode well for companies investing in data centers, although those efforts are expected to boost the market size for penetration testing services, according to a Polaris Market Research report.

Just walk right in—no one’s stopping you: Black Hills Information Security owner John Strand is a well-known penetration tester who’s been in the business for over two decades. He once sent his own mom to waltz past guards at a South Dakota prison.

According to Strand, one of the key issues he runs across is staff who don’t feel empowered to challenge authority—–whether that’s confirming that a request for a wire transfer really came from their boss, or allowing someone into a restricted area.

“If you look at a lot of people in authority, if somebody doesn’t respect their authority, they get completely bent out of shape, and they get mad, and ‘Don’t you know who I am?’” Strand told IT Brew.

“Unfortunately, as human beings, we aren’t really good at respectfully pushing back,” Strand said. “And unfortunately, whenever it comes to computer security and physical security, people don’t like to be challenged under any circumstances. It tends to get us very angry, especially if we have a legitimate reason to be there.”

Alethe Denis, a senior security consultant at Bishop Fox who won a Def Con Black Badge in a social engineering Capture the Flag contest, told IT Brew that bias is another tactic that allows her to slip past safeguards.

“Though I wish we lived in a world where bias did not exist, I’ve had three doctors this week ask me if I worked…or ‘You’re a housewife, right?’” Denis said. “And so it’s one of those things where I can blend in and pose as someone who either needs help, is lost, is a hot mess, is a mom who’s frazzled and just can’t find the right place to go.”

“I’m betting that most people will see that I am clearly not a threat, and not want to take the time or expend the energy to prove otherwise,” she added.

It’s not just about policy: Even when there are clear rules in place regarding things like unaccompanied visitors or lost devices and physical key cards, both pen testers said they’re often not enforced due to organizational snafus.

For example, Denis said that she often finds “pretty massive gaps” between what her clients believe policies accomplish, and how they work in practice.

“Sometimes it’s just a misunderstanding between various levels of the organization,” Denis said. “Some people believe that things are being handled one way, and that the policy is being followed. And oftentimes, that policy is being circumvented by the folks who are actually responsible for doing the day-to-day processes and transactions of that data.”

An organizational culture in which members dread interactions with their superiors, Strand told IT Brew, often creates gateways for malicious social engineers to push their way in.

“If I walk in, and I pretend to be a boss, or if I send you an email or phone call saying I am a person in management and they want funds transferred immediately, it should be okay for people to respectfully push back and say, ‘I need to have some verification; we need to double check this before we actually do that,’” Strand said.

Denis added, “Having that healthy level of suspicion is great, but it’s pretty worthless if you’re not empowering your employees to challenge those individuals.”

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Get notified whenever we post something new!

spot_img

Migrate to the cloud

Make yourself future-proof by migrating your infrastructure and services to the cloud. Become resilient, efficient and distributed.

Continue reading

Salesforce Flaw Allows Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications, which could potentially lead to a full account takeover. The flaw was identified during a penetration test and is tied to misconfigurations within Salesforce Communities, specifically within the Salesforce Lightning...

Concerns about the ICT Bill 2024 in Kenya

THis post has been updated after the attention it is gannering. The original post can be found here: https://web.archive.org/web/20240813033032/https://blog.blancorpsolutions.com/kenya/concerns-about-the-ict-bill-2024-in-kenya/ Kenya's tech industry has been a beacon of innovation and growth, thanks in part to a regulatory environment that has allowed...

What are the real intentions of tracking IMEI numbers?

Imagine if you had a magic map that could show you where all your favorite toys were at any time. Sounds pretty? Well, in Kenya, the government wants to do something similar, but with people’s phones. They plan to...

Enjoy exclusive discounts

Use the promo code SDBR002 to get amazing discounts to our software development services.