Security Testing And The Art Of Imagination
Why penetration testers should (and must) balance the science of testing with the art of imagination, and how to incorporate ima into your testing processes.
Share This Article:
Have you ever wondered why hackers continue to break into “secure” computer systems and networks even after penetration tests have been undertaken on target infrastructure? How do they continue to find these footholds and escalate them into massive breaches?
Part of the answer lies in the use of imagination.
Penetration and security testers often follow rigid guidelines, rigid rules, and rigid methodologies. This places testers in a situation where we develop blinkers to other opportunities because nine out of ten times we are adhering to a checklist and following a paint-by-numbers methodology.
Meanwhile, attackers don’t have these constraints and, as such, continue to develop new and innovative methods to hack into even the most secure computer systems and networks.
How do we change the current paradigm in security testing?
First, allocate time to brainstorming. Avoid defaulting to the exclusive use of checklists and dated methodologies. As testers, we are engaged by our clients to simulate attackers. Allocate ample time before you touch the keyboard to threat modelling and brainstorming potential attack paths.
This is best done similarly to undertaking a Business Impact Assessment (BIA) for disaster recovery purposes. Stand in front of a whiteboard and write down every single way that you can breach the target system. Do not constrain yourself to traditional approaches. Physical attacks, social engineering, drones, zombies, SQL injection. Nothing is off the table.
Once this has been completed, start applying probability to cross items off.
Although this should be undertaken throughout the engagement, there are two phases where this is most applicable:
- Reconnaissance Phase
- Vulnerability Identification Phase
Re-Imagine reconnaissance
As part of the reconnaissance phase, imagination and brainstorming will often lead to acquiring a larger amount of information by thinking outside the box. This can often lead to new and innovative avenues of attack.
If you were targeting a large financial company that has implemented advanced biometric security measures at their buildings and data centre, this would be enough for some attackers to give up. However, some hackers are persistent by nature and will try to find an alternative attack path.
For example, an attacker employing social engineering techniques may call the building and pretend to be an IT administrator from another office who has been tasked by their manager with creating local user accounts for new employees. In order to complete this process, they will need domain administrator access.
As such, thinking outside of the box and coming up with innovative ways that a hacker could breach the target system will often provide new avenues for testing without requiring too much time or effort from you as penetration testers.
This allows security testers to take their skillset further than just following checklists and ensures that security testing becomes a dynamic process instead of just another box to tick. It allows hackers to think outside the box in their quest for innovative methods to breach secure systems!
Creative vulnerability identification
The vulnerability identification phase of penetration testing is where imagination and brainstorming become most important. This is the stage where testers are actively probing for new attack vectors such as vulnerable network services, web application vulnerabilities such as SQL injection, XSS and misconfigurations in systems that can be exploited to gain code execution.
Try to think of the less obvious approach. For example, when testing a web application, rather than limiting yourself to checking for out of date versions, lack of input validation or SQL injection. Test for logic bugs that allow bypassing of security controls or dedicate time to vulnerability research on the web application’s underlying technology. Or even, how about gaining access to the corporate network through the “smart” coffee machine in the office break room, wouldn’t that be an interesting story?
This is where your imagination and brainstorming come in handy. When brainstorming, it is also best to do it in a group setting. Diverse thought processes, genders and backgrounds will often lead to innovative, interesting and new attack paths.
Imagination makes the hacker
Traditionally, we tend to focus on exploit, password and misconfiguration attacks. We often forget people based, physical, third party and mobile attacks. Although these are not as common attack vectors, thinking outside the box would allow penetration testers to identify new vulnerabilities that can be exploited. Remember: imagination makes the hacker!
Imagination is an important part of cyber security testing and thinking outside the box can lead to innovative ways to breach “secure” and insecure systems alike. The key here however, lies in not limiting yourself by what you know or have learnt but rather expanding your imagination and allowing for creative thought processes that will allow hackers to think beyond traditional attack paths.
Expand your imagination. Attackers do and you need to follow suit.
Why penetration testers should (and must) balance the science of testing with the art of imagination, and how to incorporate ima into your testing processes.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.