LOUISVILLE, Ky. -- Many professional penetration testers fail to provide a complete analysis of the enterprise weaknesses they discover, according to a noted security expert, focusing solely on the technology blunders that could result in data leakage.
We're telling companies that their security program is really good, but we're not doing anything to test how information flows outside the boxes.
CEO, Lares Consulting
Chris Nickerson, CEO of Denver-based vulnerability assessment firm Lares Consulting, told attendees at the DerbyCon security conference that pen testers often neglect to address the employees themselves, which can be a company's biggest weakness.
"We're telling companies that their security program is really good, but we're not doing anything to test how information flows outside the boxes," Nickerson said. "If we're truly showing them what could be exposed, then we need to open the scope of what we do a little bit."
Pen testers often simulate attacks from a malicious outsider. They can use various tools to gain access to critical systems, from brute-forcing passwords to finding and exploiting application and network weaknesses and stealing company data. The result is often a lengthy report of the company's weaknesses, giving the firm a snapshot of its security posture from an IT systems standpoint. But that snapshot, Nickerson said, doesn't tell the whole story.
Chris Nickerson Interview
Chris Nickerson is your worst nightmare. He's the guy you never see coming, the one who can slip into your data center, install malware on any server he chooses and ease back out without so much as a shadow on your security cameras. Nickerson, CEO of Lares Consulting, discusses the fun of penetration tests and the risks of outsourcing.
Nickerson said serious pen testers should begin by looking for basic information about various employees, including business executives. Similar information-gathering processes are used by well-funded cybercriminals conducting targeted attacks, he said, starting with names, email addresses, social networks and the various clients employees use. Then, figure out what cell carrier they use, where they live and places they visit most often. Understand their backgrounds and heritages. All of the data is important, he added, because it can be exploited in a social engineering attack.
Tools to gather employee information
Surveillance techniques can often help organizations gain a better understanding of the factors outside the company's systems that can result in intellectual property exposure, Nickerson said. Mapping out a company's financials, its partners and key competitors can reveal useful information that can be used by cybercriminals in a targeted attack. Web services like Hoovers, MarketVisual and Muckety are a good starting point, he said.
"Do the intel to figure out who the competitors are, because one of them is going to come at the company or already has," Nickerson said. "You can get some great visuals and see connections that you never would have seen that could be a weakness."
Hoover's provides information about companies' top management and key competitors. MarketVisual provides similar information using a visual map, making it easier to navigate and connect different pieces of information. Muckety shows relationships between people, businesses, government and various organizations. The site's interactive maps enable users to drill down and view various connections. It was started in 2007 by newspaper reporters and often has stories about political ties and other connections not immediately visible on the surface.
Nickerson said there are websites that provide more valuable data than social network LinkedIn. He also highlighted LittleSis, a freely accessible Internet database that provides information about connections among people, business and government. In addition, the website Jigsaw ties into Salesforce.com and provides contact information on corporate executives, directors and managers. And EntityCube, a Microsoft project that correlates search engine result data, allowing anyone to easily discover information about specific individuals. Such services, Nickerson said, help take the "false positives" out of gathering human intelligence.
"Watching the entire company isn't feasible," Nickerson said, "but focusing on some individuals can lead to some very important pathways into a company's systems."