CTRL Group have interviewed our Lead Penetration Tester who brings a wealth of knowledge and experience to CTRL’s operations. Below he shares insights and observations he has seen in his role:
Q: What are some of the common themes and mistakes you see
A: Across the board, I have noticed that most organisations stick to default credentials. These are the login and passwords that come with the package, or that are very intuitive like ‘admin, admin’. These are often the causes to major breaches, as poor password management makes it very easy for hackers to breach the systems internally and externally. Similarly, organisations generally leave their default files open. As an easy starting point for malicious actors, opened default files can give access to their confidential files, and as a result, leave organisations susceptible to breaches.
Interestingly, people are still vulnerable to MS17-010, or a series of Microsoft software vulnerabilities and exploits created back in 2017. Patches have already been designed to secure all supported Windows operating systems. Yet, the critical problem remains as many versions of Windows require the software update to be installed so they can be protected. In short, this vulnerability affects older versions of Microsoft operating systems and was essentially a way for Windows machines to talk to one another and other devices for remote services. With the exploit unpatched, all the attacker needs to do is send a malicious packet to the target server, and the malware propagates and enables a cyberattack.
Q: Where do you see investments being
driven for cybersecurity solutions?
A: At large, organisations are investing in artificial intelligence (AI), machine learning and cloud systems to minimise their risk profile. AI and machine learning can recognise patterns in data pools to enable security systems to learn and develop their innate capabilities. This is exciting because organisations can stay up to date with the latest vulnerabilities vs. what they currently store.
Another key use case for AI and machine learning is its ability to reduce incident response times and assist companies in complying with security best practices. To a large extent, that is what CTRL Group do each day, with the threat landscape proactively monitored for clients.
In terms of investing in cloud systems – companies are migrating to cloud systems so all their systems and files can be stored off-premise. In this kind of setup, companies rely on the security of the cloud providers which minimises their risk exposure to a large part. The theory behind it is that traffic gets to the cloud instead of being routed to the servers directly. The cloud analyses the traffic and only allows access to legitimate users. Any traffic that the cloud does not approve is blocked from the server. Simple solution and something more companies are adopting from a security perspective.
Q: What kind of defences are organisations looking at for the future? And how effective do you
think they are?
A: There are largely three kinds of defences that organisations are looking at for the future – security monitoring, threat detection and firewall systems. Most organisations are looking at security partners
to provide monitoring services, such as a cybersecurity operations centre. This is designed to provide 24×7 monitoring across the company’s assets and enable rapid response capabilities to address breaches.
Companies also want defence mechanisms to strengthen their detection capabilities such as an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). These tools can analyse network traffic for signatures that match known cyberattacks, as well as stopping suspicious packets from being delivered. The technology here is improving every day and it is proving to deliver great value as each year goes by.
Lastly, firewalls are where a lot of investments go towards protecting internal systems and web servers. As a basic measure, firewalls prevent unauthorised internet users from accessing private networks connected to the internet. As simple as this is, it significantly reduces an organisation’s risk profile when coupled with security processes and policies. It is a cost-effective and impactful approach to defending against hackers.
Q: How well have phishing attacks evolved throughout the years?
A: Phishing attacks have become very creative over the years. The latest attacks are very authentic and manipulative at the same time – it is all very impressive. New styles of phishing attacks fool even the most educated and cyber-aware individuals. Many have fallen for our simulated attacks, which has led to compromising a lot of systems externally and helping us gain access to an organisation’s internal systems.
People should not forget the ramifications of a phishing attack. As an example, although Sony Picture Entertainment had no major vulnerabilities in their systems, hackers used phishing emails to penetrate their computer networks in 2014. This happens all too often. Many top Sony executives received fake Apple ID verification emails and one victim actually provided his/her information to a fake verification form. The hackers then used these credentials in conjunction with the employees’ LinkedIn profiles to figure out their Sony network login information. Following that, the same credentials were utilised to send malware to the company’s computer networks. Links to a collection of stolen documents, financial records, and the private keys to Sony’s servers were posted online a month later.