Pen testing, new threats, common mistakes and predictions for cyber security

by Jay Dalu-Chandu

What is the biggest challenge facing cyber security at the moment?

The landscape is changing from people working on site to a massive increase in home working which is going to have a big impact on companies, network environments and the security of those environments. A lot of companies must be in a state of flux as they try to adapt to the new circumstances and keep on top of their security at the same time.

If you’re all working in one office then you’re all on one internal network but when people are working remotely there are added network boundaries between them. The company may decide to implement a VPN for everyone to work off from home, but then there’s the issue of training staff on how to use it.

Have you noticed any new threats or challenges to security during Covid-19?

We have seen an increase in ransomware and phishing attacks where people would normally be protected by their offices, firewalls, web application firewalls and email firewalls, but when working from home, people may not be so heavily protected. A malicious attachment that would previously have been caught may not be caught as much outside the office environment, plus the headspace is a little different when you’re working from home, so it may be easier to create social engineering attacks to manipulate people into doing things that they maybe wouldn’t do in an office environment.

How would you normally kick off the pen testing process?

First we need to map out the assets of the company to put a finger on everything within their estate and where all the exit points are. Once the environment is pinned down and mapped out, my approach is to start from the outside and make sure that everything that touches the internet is secure in the first instance. We then start looking at everything inside the network boundaries and making sure that’s all in good shape too.

Are there any common mistakes that people tend to make with their security?

I suppose the most common is the age old thing of applying software updates. If your software isn’t up to date there’s a chance you are vulnerable and that’s been the case since the beginning of the software industry and is still the biggest threat to companies today. Implementing a rigorous update program so that updates are being testing and deployed within a finite time scale is one of the best defences a company can take advantage of.

At my company we identify things that aren’t up to date, then work with the system administrators on how to monitor the release of new updates to ensure they are deployed in a timely fashion.

Any other services you proved that are becoming more important?

We have an open source intelligence gathering feature that, at the touch of a button, allows companies to perform the research an attacker might carry out before attempting to launch an attack. This gives them a good idea of the places where they are vulnerable, for instance, if an employee’s email address was included in an email breach on LinkedIn, and their password hasn’t been updated, that password may still be out there in clear text for attackers to use.

This tool will allow them to get a good view on what information about their company is floating around on the internet that could be abused by a malicious party.

What’s the biggest lesson you’ve learned on the job?

Don’t reuse your passwords.

What’s the most rewarding part of the job for you?

The most rewarding part of the job is sharing your expertise with people who can benefit from it but don’t necessarily need to go to the effort of learning it all themselves. We have been able to help companies that are not aware of the security implications of how their systems work through the process of understanding those challenges, and it’s really rewarding to then leave them in much better shape than we found them.

Where do you think things are headed in the next 5 years?

Well, everything's going to the cloud, so distributed networks using VPNs is going to be paramount to keeping a company's environment secure, and it’ll still be important to use of strong, unique passwords, and two factor authentication of all user accounts. It’s age old advice really, but for us it’s a question of helping people to implement the advice in a way that's manageable and convenient because security is always a trade off against convenience.

Tell us a bit more about the new remote cyber security tool your company has developed…

Our company only got started just before the Covid19 outbreak, so we’ve been able to really fine-tune the products we offer to tackle this new situation.

We’re providing people with the ability to carry out their own scans, as and when they want to, on our web interface, rather than needing to hire an on site consultant and all the associated costs and inefficiencies that involves, like travel, accommodation, network access, booking tests, and cancellation fees when it doesn’t go 100%, which is unfortunately often the case, as environments tend not to be ready, and deadlines don’t get met.

Being able to carry out scans through a web interface at your own home, at your convenience, just works better, so that’s the main asset that we’re currently providing via our website.

Ben Brown is the CEO for Ronin-Pentest, a free online vulnerability scanning engine that gives you a clear view of the condition of your IT security & tells you exactly how to fix it. Try it here

Contact us to arrange a free, no obligation consultation about the cyber security for your business.

Find pen testing professionals in our 250+ strong cyber security community of vetted consultants, and hire from just 10% (much less than agencies!)