Vulnerability Assessments vs Penetration Testing

Vulnerability scanning and penetration testing are important tools to secure and protect your IT infrastructure. Often, they get confused with each other but both play very different roles in overall network security.

So, what’s the difference and which should your business be using?

 

Vulnerability Assessments

Vulnerability assessments are automated reports that search for known vulnerabilities within software, such as missing patches and outdated configuration, protocols, certificates and services. The output of this report would show any known vulnerability that exist within the network. Reports can be lengthy as the assessments take quite a comprehensive look at the network and applications.

The assessments can be ran on any number of devices throughout a network and is wide in scope. The results can then be used to remove potential risks before they could be exploited.

It is recommended to perform scans quarterly and every new device once configured, or if a major configuration change has taken place.

 

Penetration Tests

In comparison, penetration testing actively exploits weaknesses within the environment. An experienced person would carry out the testing, acting as an attacker by exploiting weaknesses within the network or applications otherwise known as ‘ethical hacking’. As a tester is needed, this testing cannot be automated.

The main aim of penetration testing is to identify insecure and weak security settings and configuration that a business outsider would be able to use to access the data held behind the defences such as un-encrypted passwords. The tester would probe an open port and see how far it can be exploited. Large networks can take anywhere from days to weeks to complete a full test. It is therefore best practice to have the testing performed by a fully qualified 3rd party; this also ensures a fully unbiased, objective report being developed.

Penetration testing doesn’t need to be performed as regularly as vulnerability assessments, instead only once a year or if internet facing equipment has a large change made.

 

What Should My Business Use?

In summary, a vulnerability assessment is used to detect when an unlocked door could let a burglar enter your business. A penetration test would role play as the burglar and see how far he’s able to get before a locked door stops him in his tracks.

Both tools should be used in conjunction and work together to provide the best outcome. Vulnerability assessments are designed to act as a detective tool; penetration testing is built to be a preventative measure.

Penetration testing is a lot more costly compared to vulnerability by itself, but this is due to the in-depth nature of the scanning as the tester may discover a new vulnerability or a security flaw that is not very well known.

 

IT’s important to know the difference between each test as each are important in their own way. To find out if Netshield can be of assistance, please contact us here

Advertisements

The Rise of Email Compromise

THE TERM PHISHING is certainly becoming more prevalent in today’s cyber-security obsessed world. Cyber criminals pose as a CEO, finance director or other senior members of staff in a company and send fraudulent emails containing details of payments ‘that must be made immediately’ with bank details attached. The catch is usually the address that the email has been sent from; it will resemble very closely the email of the senior management figure, with this spoofing often duping unsuspecting employees into making the payments or disclosing financial/personal information as requested.

According to the Verizon Data Breach Investigations Report, phishing tactics were used in more than 90% of all security incidents and breaches in 2017. So why has there been such a rise in business email being targeted?

 

How does it work?

Phishing emails are very simple; target multiple users or one individual, in a company, convince them that the sender is a high ranking senior management member, extract sensitive information. The email will usually be labelled with high importance, eliciting a sense of urgency in the user (who wants to upset their CEO by delaying a task in an urgent email?) who then provides login credentials, credit card details or actually make the requested payment.

Some will contain a malicious attachment, so if users don’t fall for the money transfer requests they may still infect their PC and later the network with malware.

Links to sign-in forms (such as the Gmail scam that occurred at the start of 2017, affecting over 1 billion users) can also be included. The URL’s resemble the official one, so a glance at the address bar won’t raise any alarm bells unless you look closely, so even the most tech-savvy users can fall victim. Once credentials have been entered the attackers have full access to that account. This could obviously be disastrous if business banking credentials have been entered.

 

Believing your business is safe from an attack as ‘it hasn’t happened to us yet’ is not the way to be thinking anymore. So what can be done? 

  1. Improving User Awareness 

Training employees on how to spot phishing attempts, what to do if they are in receipt of one and how to defend against attacks.

According to the Verizon Data Breach Investigations Report:

30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link.

It’s also important to encourage employees to report possible incidents or breaches as soon as they are discovered.  Clear and readable security policies should be implemented and distributed to all users regularly so employees are aware of their roles and responsibilities during such an incident.

Ongoing security awareness training should be considered for all IT team members on a regular basis to keep their knowledge of evolving scams up to date.

2. Management Involvement 

Assigning key responsibilities for cyber security at management level ensures all employees are aware that is is being taken seriously, and provides a great example for them to follow. Of course everyone within a company has a part to play in keeping the infrastructure secure, but it does need to start at senior management level to show the importance.

A tech-savvy staff member should be allowed time to keep informed about the latest phishing techniques, preferably a senior member of the IT team. By being aware of latest scams as early as possible, the management board can be informed and discuss the best way to prevent the business being affected.

3. Build your Battle Plan

Ensuring your IT infrastructure is as robust as possible must be a priority at all times. Although very important, gone are the days we could just rely on heavy duty firewalls to prevent malicious traffic reaching its target.

  • Two factor authentication can be used over a variety of applications and software, either built in or as an ‘add on’. With most people only having one layer of security (their password) to protect accounts, two-factor authentication adds a security code that must be entered on top of this. This can be directed towards your mobile or a security key. With 2FA enabled, should the bad guys gain control of passwords they still won’t be able to access what is behind without the users phone or security key.
  • Updates are released in response to loopholes that phishers can take advantage of. Ensuring all IT systems are up to date is often forgotten about. We’ve previously posted about how patching can help prevent major security vulnerabilities (read more here), this also reaches out to anti-virus and anti-malware. Should the worst happen, this is your first line of defense. Browsers should also be updated as soon as one is available. A good patch management schedule will ensure this is carried out regularly.
  • A quick check to verify site security of a site is not time consuming but does help give you peace of mind. Make sure the URL begins with ‘https’, and that a small, closed padlock icon is visible near the address bar.
  • Anti-virus should be installed across all devices, including remotely used ones. New security definitions are added all the time, which makes ensuring the software is up to date even more important. AV helps prevent damage to systems by scanning every file coming through the internet to your PC.
  • Scrutinize an email address or URL if you’re a little bit unsure. Sender of an email joe.bloggs@exampl3.com rather than the usual @example.com? Don’t trust it. It doesn’t hurt to reach out and double check with who you believe the email is from separately to check.

 

Unfortunately there is no fool-proof way to prevent attacks occurring; promoting a company culture of staying vigilant and being on guard is one of the best defenses you can have.

 

For information about how Netshield can assist with your anti-phishing policies and defenses, please feel free to contact us here.

 

 

Why do we overlook the importance of patching?

The importance of patching is often forgotten about, with IT teams finding the time to keep user, network and security devices up to date often impossible!

The overall security of an infrastructure should be top priority, and one of the most effective preventive measures against potential threats is patching. Patching is the process of repairing system vulnerabilities which have been discovered applying to operating systems, servers, desktops, software applications, firewalls, mobile devices, the list goes on!

Unpatched systems are an easy target; with new vulnerabilities being discovered constantly, it is common for cyber criminals to exploit, target and gain entry to networks. We only have to look at the fallout from the WannaCry and NotPetya attacks to understand how effective using vulnerabilities on unpatched systems can be. A report from the Online Trust Alliance stated:

There were over 160,000 security incidents impacting businesses in 2017 – almost double the amount reported in 2016!

This is due to cyber criminals becoming more tech savvy in exploiting vulnerbilities, and perhaps businesses becoming too busy to focus on their network security.

Of course, proactively preventing such vulnerabilities causing problems is preferred to reactively attempting to mop up after a security incident. This is where patch management comes into play.

The Benefits

Manually checking for and applying updates is a mammoth task; the sheer number of available updates can be overwhelming especially for some SMB’s who may not have their own onsite technical team. To remove this time consuming job, patch management will automatically control the update process. This can also include devices in remote locations, especially helpful for remote workers that use company phones or laptops. Those devices and applications that are easy to forget about can also be included, removing any surprises later on.

Patch management enables the scheduling of a time and date for patches to be deployed, which is especially useful for devices located across different time zones. Setting updates to install out of hours or outside times of high employee productivity minimises the amount of business disruption faced whilst still maintaining the level of security needed.

Removing the need for IT teams to analyse updates, patch management also helps to free up time allowing other productive tasks to be looked at, or dedicate more time to looking after existing systems.

Effective Patch Management 

What does an effective patch management programme look like? The methods used will obviously vary for each company; there’s no ‘one size fits all’ configuration as each need is different. Typically, an automated patch management system is implemented. This requires the install of an agent which allows the control and management of patches from a web-based interface. Companies with a smaller network may wish to outsource this management to perform the deployments from a remote location.

So, you have the programme in place. A less obvious part of the whole management is a policy. This would dictate how often patches are performed, how quickly they need to be scheduled (especially critical updates) and a plan for rollbacks.

 

In summary, in order to keep your infrastructure safe and secure, regularly applying patches to all software should be prioritised. Cyber security needs to be taken seriously by all to stay ahead of the criminals.

 

Netshield can assist with the automation and management of the patch process, from your entire infrastructure to just a select few network devices. If you’d like further information, please don’t hesitate to get in touch.

 

 

 

 

 

 

 

Technology and Education: What’s the Impact?

Technology has made a huge impact in every sector over the last ten years; this is especially true for the education sector. 

Universities and colleges are offering online courses to make studying more accessible across the world, challenging the ‘traditional’ picture of education. But could there be more of an impact?

Remote Working

In the era of many businesses now using a wide range of remote desktop services to allow employees to work from home or remotely when needed, will schools soon be following suit?

During the poor weather at the start of 2018 which led to schools, colleges and universities being closed, some for weeks on end due to heating issues, could the impact on students learning be lessened with virtual classes being available? This would minimise the amount of learning lost during adverse weather conditions, and long term illness. Virtual lessons would also help connect students and teachers in different locations, removing any geographical barriers.

However, does remote learning lead to an issue: how do tutors and teachers ensure students are remaining productive when they’re not working in a classroom? There aren’t many surveys that have been conducted to this end, but according to a survey performed with teleworkers by TINYpulse,  91% of remote workers believe they “get more work done when working remotely”. This is of course a self assessment performed by the workers and may not offer a true reflection of how productive they actually are! It does however show an insight into how the freedom of remote working could actually improve the productivity of students.

Digital Portfolios

Gone are the days of scrambling around for the USB long forgotten about at the bottom of a school bag; the embarrassment of submitting work and realising it hadn’t been saved; sharing external storage devices during a group project. Digital portfolios are becoming more common, allowing students to share notes and collaborate during projects in one place, usually an online portal or application. Tutors are also able to mark work and submit it back straight away, removing the need for 100’s bits of paper being printed and handed back.

The use of digital portfolios helps keep all submissions stored securely, often making use of Cloud services which has the additional benefits of scalable storage and backups for extra security and continuity.

From an environmental view, digitising assignments submissions would of course minimise the amount of paper being used, and also drive down the cost of printing, inks and toners.

Taking Control of Learning

Students in college and university often have to juggle their coursework, lectures and lessons with work schedules. Virtual classes provide the freedom for students to learn at their own pace in bite-sized chunks, and work around their often busy work rotas.

Making the choice between a late shift at work vs being on time the next morning for a lecture would be eradicated with the student able to access a lesson if it had been pre-recorded and distributed virtually.

E-books are also becoming more commonplace, with teachers able to prepare students before a class with the lesson content or distribute afterwards to give everyone a chance to recap.

Digital vs Traditional

As with everything, there are of course negatives to such advances being made within the education sector.

Does digitising as much as possible take away traditional writing skills, leaving students so used to typing away unexposed to the usual pen and paper concept? The introduction of E-books also raises the question of what can be done with the sheer amount of paper-based books left sitting unused in libraries and classrooms.

The Verdict?

Of course there’s a long way to go before every school, college and university can offer remote desktop services to all students. The work (and cost!) of implementing such solutions can look scary on paper. However, staggered rollouts or making just certain departments accessible through this medium could help to combat this.

The question of controlling students access during the ‘school day’ can also be harder to answer if allowing them to work on their own time unsupervised through mobile devices. This is where good management of anti-virus and patching is important, with a good, stable and secure back-end infrastructure still needed.

 

With technology changing the face of all sector in some way, education is no different. The next ten – twenty years could make it almost unrecognisable. 

 

 

Netshield Announce Our New Vulnerability Scanning Service, NetScan.

NetScan is a popular and capable infrastructure and web application vulnerability scanner, providing the ability to carry out regular scanning to identify vulnerabilities before they become a huge business security risk.

First Class Scanning.

Unpatched software, configuration weaknesses and software vulnerabilities also need to be managed effectively. NetScan includes a vulnerability assessment module to perform vulnerability scans across your external network infrastructure.

• Access sophisticated scanning and exploit technology designed by experienced penetration testers
• Provides a single platform to identify and manage web application and infrastructure risk
• Confirms vulnerabilities through safe exploitation to eradicate false positives and provide proof of concept
• Prioritise each vulnerability’s remediation
• Generates reports in Microsoft Word and CSV. PCI and UK Government PSN compatible formats
• Schedule scans to run at any given date and time. Scan at regular recurring intervals with email notification.

Web Applications.

Vulnerabilities within web applications pose a significant threat to your organisation’s network security. NetScan can identify all known web application vulnerabilities and provide exploit capabilities to demonstrate their impact and eradicate false positives.

Many existing web application scanners rely on parsing web pages in order to discover application components (e.g. links and forms). This approach is no longer effective when testing modern web 2.0 based applications. Components generated at runtime using JavaScript, Flash or Silverlight components will remain invisible to traditional discovery techniques.

NetScan employs two integrated crawling technologies to overcome this challenge. Our HTTP/HTML based crawler is used to components quickly and to identify hidden components through forced browsing. A second integrated crawling engine then executes web pages in the same way a normal browser would. Any embedded scripts or components then able to run as intended whilst allowing full visibility to the discovery engine. If a modern web browser such as Google Chrome can access the application, NetScan can crawl it.

• Thorough assessment of all known web application vulnerability classes such as those defined within the OWASP top ten.
• Advanced detection of DOM based Cross Site Scripting (XSS) vulnerabilities through JavaScript taint analysis.
• Decompilation and static analysis of Adobe Flash files.
• HTML5 postMessage analysis. • Confirmation of discovered flaws through safe vulnerability exploitation

Identifying False Positives.

A false positive is where a vulnerability scanner indicates there is a vulnerability when in fact there isn’t one. Sorting through scanner results to determine which reported issues are real and which are false positive is a time-consuming process. To eliminate false positives, and to provide proof of concept evidence, NetScan employs safe custom exploit techniques to actively confirm discovered vulnerabilities.

Third Party Applications Download custom filtered results and view via HTML, Docx or CSV. NetScan includes a simple JSON data API for retrieving, aggregating, processing and reporting raw vulnerability data for use in third party applications.

Complex authentication schemes are supported when NetScan is supplied with the minimal information, such as a username and password pair. Optionally, a login URL may be provided to direct the scanner where to use the credentials and for scenarios such as single sign-on. The scanner may easily be adapted to support bespoke authentication schemes that require non-standard credentials or processes.

NetScan can provide comprehensive vulnerability assessment and analysis against remote hosts to determine if a misconfiguration exists that could allow an attack to get behind the application and into sensitive data.

Please call us to discuss any aspect of your IT Requirements on 0333 200 1636 or visit our website http://www.netshield.net to find out more about the ways that our expert support and advice will improve the health of your IT.