White hatTesting for technical vulnerabilities is a key part of security risk assessment.  To get the straight scoop on technical vulnerabilities, and how they’re exploited, why not ask a hacker?

Dave Chronister is an ethical hacker, a Certified Information Systems Security Professional, and the co-founder and managing partner of Parameter Security.  To borrow from the Farmer’s Insurance commercials, Dave knows a thing or two because he’s seen a thing or two.  He started early – Dave wrote his first computer program before age 8, and as a teenager he ran a large networked bulletin board system, through which he first experienced war dialing and the underground world of hacking.

Dave and his Parameter Security team perform technical security assessments (ethical hacking penetration services, code & device reviews, and social engineering exercises), post-incident forensic investigation, and training.  Dave regularly appears as a cybersecurity expert on CNBC, CNN, Fox Business, and MSNBC, and he writes and speaks internationally on hacking and system security.

I recently asked Dave for his thoughts on the current hacking landscape, and especially on why technical vulnerability testing is crucial to an overall security risk assessment. Here’s what he shared:

First off, what’s an ethical hacker, and how did you get into that line of work?

An ethical hacker is someone who assesses the security of networks, applications, and physical locations using the tools and methodologies of a malicious attacker. I got into this field because of needing this sort of service way back when I was vice president of IT for a bank holding company. At that time, most providers were either accounting firms offering advice on merely achieving security compliance, or solution providers using their “penetration assessment” as a sales tool to help push new products.

Parameter was founded as an assessment organization, first and foremost.  Our main objective is to come in, look at your actual security posture, and help determine where you are with your data security, where you want to go, and what needs to happen to get there.

What is a technical vulnerability assessment?

In a technical vulnerability assessment, we start by looking at the footprint of your IT environment.  We determine possible vulnerabilities that may be present based on system configuration, policy, or software versions, and then we report on these possible vulnerabilities. A vulnerability assessment is the first step in a penetration assessment.  In a vulnerability assessment we report on the vulnerabilities we identify, and in a penetration assessment we go further, trying to exploit those vulnerabilities to see how far into your environment we can go.

What kinds of problems do vulnerability assessments commonly uncover?

In almost every environment we find a lack of an effective patching policy. This covers the client’s knowledge of what their environment consists of, as well as consistent patching of vulnerabilities in a reasonable amount of time. We also find, in quite a few organizations that have piecemeal security controls, that they don’t follow any sort of consistent framework. Those organizations may spend quite a bit of money securing one part of their environment, while leaving another equally critical area wide open for attack.

Some folks imagine that hackers’ sole strategy is to deliberately target a single, individual company – and they assume they are too small or insignificant to be found by the bad guys, so they’re “safe.”  What do those folks not understand about automated hacker tools that randomly scan the Internet for vulnerable endpoints?

Hackers typically fall into two categories –  those that have a target and are looking for a vulnerability to exploit, and those that have a vulnerability to exploit and are looking for targets.

If you look at any firewall’s external logs, you’ll actually see that quite a few scans are happening, probably every second.  These are malicious attackers looking for something to exploit.  Some have targeted the organization, but others are simply scanning the Internet looking for targets with specific vulnerabilities.  Once they get in, they then try to determine if there’s anything they can use. Many times you’ll find that if there’s nothing of use, the hacker may sell access to your environment, may actually use your environment to launch other attacks, or may decide to just delete all of your information.

What do folks not understand about how hackers penetrate perimeter defenses by technical means (without social engineering)?

For the most part most organizations are doing a fairly good job at securing their outermost perimeter, at their firewall where they access the Internet.  But we run into quite a few situations where certain ports are left open, such as Remote Desktop protocol. The problem is that when you expose something to the Internet, it’s accessible to anyone, and any vulnerability that may be out there can be exploited by someone. Take Windows Remote Desktop.  There was a vulnerability, disclosed during the NSA leak, that allowed malicious attackers to gain access to systems that had Remote Desktop enabled and publicly accessible from the Internet.

What about how hackers, once in, then move laterally?

Once a malicious attacker gains control of the system, any device or other system on that network can be attacked by that attacker. Flat networks, networks that have all of their systems on the same internal local area network, do not have the same defense in depth that a segmented network may have. Also, in flat networks, the visibility of activity within the internal network is usually not very good. This essentially allows an attacker free rein in your internal network – once one system is compromised externally, the entire network can fall.

What are some of the most important things companies can do, based on results of a technical vulnerability assessment, to improve their technical security posture?

First and foremost, patch.  Understand your actual network, what systems should be on your network, and what applications are running on those systems.  Make sure that you have your security controls set to your acceptable level of risk. Understand that no environment is hacker-proof, because at some point you will be compromised.  The ultimate goals are to prevent a malicious attacker from gaining complete control of your environment, and also to have the ability to detect and log activity of the malicious attacker, so that we can determine what happened during the compromise.