Why Full-Scope Penetration Testing Matters // Your Castle has No Walls.

We often hear from prospective clients that they have a third party perform external penetration testing every year, and it never finds anything serious, so if the attackers can’t get in from the outside, why bother testing anything else? At first, the logic seems sound – Using a castle as an analogy for the network: You’ve built a castle with really strong walls. – If nothing can breach the walls, then the squishy villagers, the rulers, and the royal jewels inside are safe and secure. This thinking follows the traditional 90’s style of network architecture, where the only route into the corporate network was through the border firewall, through the modem – the one hardline into the office.

Over the last decade, the network border has begun to dissolve - quickly. Where many organizations used to have a single uplink to the internet, now they have multiple redundant uplinks, and they have wireless networks, sometimes multiple for different purposes – the squishy villagers we talked about earlier are now walking in and out of the castle every day with miniature computers in their pockets, some of which are shipping with 8 cores and 4+GB of RAM. Each of these phones comes with their own uplink to the internet courtesy of their cellular provider. The manufacturers aren’t releasing/approving updates for the phones. (https://duo.com/blog/duo-analytics-android-device-security-article) The villagers probably aren’t installing updates that are released, and they’re installing vulnerable software on their phone without knowing it.( https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html )

 So you may then say that you have a BYOD policy which states that the villagers aren’t allowed to connect their personal devices to the castle wireless – Ha Ha! Foiled those pesky hackers again! Do you actually have any technical controls which prevent the villagers from joining their personal devices to the corporate Wi-Fi? The password to the wireless network is stored in plaintext on their corporate laptop/phone, and some of your users probably know this. Have you tested that there is functional segmentation between your corporate/guest wireless and your internal network? Do you have monitoring for when unauthorized devices enter the network? Probably not.

Speaking of unauthorized entry, have you ever tested the security of the locks on your building? On your server room? Do you know that the key-fob/badge your villagers use to badge in and out of the castle every day are almost certainly easily clone-able? Forgetting unauthorized entry, have you ever considered what an authorized visitor with malicious intent could do in your facility if left alone for 10-15 minutes? How long do you think it takes to install a small hardware backdoor somewhere in the network? (As long as it takes to find an un-guarded Ethernet port.) How long do you think it takes to compromise an unlocked workstation? (< 30 seconds.) This might sound like a scary series of questions, but stop for a minute, and actually think about it. Have you ever actually tested any of these internal controls, or do you just assume that the person you paid to install them knew what they were doing?

These are the sort of questions Full-Scope penetration testing seeks to help answer for your organization. You might have policies and technical controls in place, but are they functioning as intended, and are you even protecting the right things?