I had a conversation a few days ago that highlighted an interesting similarity between offensive security and, oddly enough, baby pictures. The conversation was with a photographer who worked extensively with families (family portraits, baby pictures, etc.). The photographer mentioned that they offer a package for parents to get pictures of their babies at newborn, three, six, nine and twelve months to capture those memories when the children are growing and changing so fast. She noted that many parents didn’t take advantage of this service because there was always something else going on (work, chores, other children, etc.), financial constraints and sometimes they simply didn’t know about it. She then noted that, many times parents would bring their toddlers or young children to the studio for pictures and, when they noticed the baby (newborn, three, six, nine, twelve months) portraits on the wall, realized what an opportunity they had missed and instantly regretted it.
The role and importance of offensive security is a crucial part of normal operations in the military and similar environments, in the civilian world, it’s still a relatively new concept. Like the baby picture package, many organizations don’t understand the role or importance of offensive security for many of the same reasons; there’s always something else going on (meetings, compliance, audits, computer / server / network upgrades, etc.), financial constraints that prioritize other projects and objectives higher and, sometimes, they simply don’t know about it. That is, until they walk in and realize that all of their data has been encrypted or see their company name on the news beside a banner reading something like “Huge breach leaks personal info for millions of people”. At that point, much like the parents in the baby picture scenario, the meetings, upgrades and whatever it was that got prioritized over the security of the environment are suddenly much less important and urgent.
With this in mind, I wanted to put together a quick article to give a quick overview of what offensive security is and how you can use it to protect your information and keep your company out of the news.
What is Offensive Security? A good way to understand offensive security is by thinking about a museum. Imagine that you’re a museum curator and someone tells you that they’d like for your museum to display their priceless piece, but they want some assurance from you that it won’t be stolen. You already have a fence, locks on the doors and these physical controls are augmented by a monitored alarm to alert you if there’s a breach, but if the alarm goes off, it could already be game over. That’s where offensive security comes in; in addition to your strong defense [fence, doors, alarm, etc.], you hire a professional thief to test your security and, if they find a way in, they document it and help you fix it before a malicious thief is able to exploit it. In the information security world, these professional thieves are often refereed to white hat or ethical hackers.
How can my organization use offensive security? There are literally thousands of answers here, so I’ll focus on some of the services that Piratica offers and how our clients tell us our services have helped them.
– Social Engineering – Social Engineering, as its name suggests, is literally ‘hacking humans’. Organizations have gotten very good at security their network borders but, if an attacker can get an unsuspecting user to click an email, open a webpage or insert a malicious USB drive into their computer, that attacker can completely bypass all of the fancy technical controls that the organization has in place. To thwart these types of attacks, Piratica offers social engineering engagements including phishing, vishing, CD / DVD / USB drops (though CDs and DVDs tend to be on their way out, you’d be amazed at how many people will plug a strange USB drive into their work compute). We then collect results on the attack and give it to the organization in the form of a detailed report that can be rolled into the organizations new employee onboarding and ongoing security awareness training. Our customers have told us that they’ve seen a marked decrease in the amount of virus and malware issues that they’ve seen as well as increased security awareness at every level of their organization.
– Vulnerability Assessment – A simple way to think of a vulnerability assessment is that it’s a checkup to see where an organization may be vulnerable to attack. This could be an external attack (a web server, mail server, vulnerable firewall, etc.), an internal attack (a disgruntled employee stealing sensitive information or letting his or her children use the company laptop for Minecraft or Elf Bowling), a social engineering attack (phishing emails, vishing calls, etc.) and it can be against a vulnerability that you knew that you had (that web server that’s running out-of-date software) or one that you didn’t know that you had (that Windows XP machine back in the lab that everyone forgot about or the newly released 0 Day in your Cisco gear). The purpose of a vulnerability assessment is to identify potential vulnerabilities in the organization and document them for the client. That information can then be used by the client to confirm and mitigate the vulnerabilities identified, ideally before an attacker is able to find and exploit them. Wikipedia defines a vulnerability assessment as the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Our customers have told us that they’ve identified a number of otherwise unknown vulnerabilities in their networks including weak authentication, exposed services (remote desktop is one of the most frequently discovered services) and unauthorized devices on the company network that they’ve been able to mitigate as a direct result of the vulnerability assessments that we have provided.
– Penetration Testing (pentesting) – A simple way to think of a penetration test is that it’s a simulated attack to test the security posture of an organization. It’s generally scoped (clearly defined rules regarding what the tester can and cannot do, what days / times the attacker can conduct what portions of the test, etc.), so it’s not an apples-to-apples comparison to an actual attack but it’s intended to be close (sometimes, the client will intentionally exclude all of the things that they know to be vulnerable from the scope in order to pass the test, but the results are heavily skewed and of very little value). It’s important to note that a vulnerability assessment is part of a properly conducted penetration test. The vulnerability assessment will help identify what vulnerabilities may be available to exploit and / or what paths may be available to gain or elevate access to the target and a penetration test goes further (depending on scope) and attempts to exploit those vulnerabilities in order to gain access, ex-filtrate (steal) data, disrupt access, etc. (to what end and how far are detailed in the scope). Sometimes, this is simply to verify / validate the findings from a vulnerability assessment and sometimes it’s to test the blue team / defenders / current IT support (will they notice the attack and, if so, can they defend against it). Wikipedia defines a penetration test as an attack on a computer system that looks for security weaknesses, potentially gaining access to the computer’s features and data. Our customers have told us that they’ve seen significant changes in their organizations ranging from heightened awareness of the real damage that a malicious attacker can have by all employees to easier compliance audits (because of a more security aware / conscious staff) to the gamification of InfoSec by their IT departments in things like routine threat hunting exercises.
If you would like more information about these or other services that we offer, please contact us.