You are here

App sec best practices: Assess risks before you pen test

Johanna Curiel, Co-founder, Ossecsoft

With the growth in cyberattacks, chances are that your organization will experience one in the near future. Ted Koppel, author of Lights Out, estimated an 80 percent chance of a cyberattack on the American electric power grid and said the US government is not prepared to face such a damaging event. If the US power grid were hacked, turning around the system could take weeks. Ukraine already faced such a crisis when its power grid was compromised last December. Fortunately, and thanks to its old infrastructure, the utility was able to get it back up within hours.

Enterprise executives tend to underestimate the chances of such a catastrophic attack happening to them. About two-thirds of IT executives think that basic compliance will stop a data breach, according to the latest SC Magazine survey. Among CISOs, 44 percent estimated their organization's chances of being hacked at 50 percent, while 37 percent said it was unlikely. But UK government research published last year showed that 74 percent of small firms in that country experienced a cybersecurity breach in 2015. There's a gap between the potential cyber risks an enterprise could face and what CISOs expect to happen. 

Enterprises need to assess the risks more accurately. By executing a risk-based assessment, you can create efficient penetration testing plans that concentrate efforts where they're most needed. Here's how you do it.

The State of Application Security in the Enterprise

Risk-based assessment: Calculate your cyber risks

The complexity in assessing risk lies in understanding the probability of an attack. A good place to start is by using one of the detailed risk assessment methodologies available from organizations such as the ISACA or the National Institute of Standards and Technology.

According to the site, which publishes statistical data regarding the motivations behind attacks, 62 percent of attacks that occurred in February were cybercrime-related, while 30 percent involved hacktivism. But whether hackers are trying to steal data, exploit infrastructure, or kidnap your resources, it's clear that the majority are after valuable assets. Assets can come in many forms, only one of which is your data.

Figure 1. statistics, February 2016

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

Assessing your cyber risks: Focus on data assets

"Data is typically somebody else’s problem—until something bad happens."

Nothing could be more certain than the above statement, from Tony Hunter's book "The Data Asset: How Smart Companies Govern Their Data for Business Success." Data assets are information directly related to your business's value. As Hunter says, "Data is a corporate asset and needs to be treated and funded as a corporate asset." 

When assessing enterprise cyber risks, your first step should be to create an inventory by identifying all data assets and how each relates to your IT infrastructure. A PCI-DSS assessment, for example, defines the location of all cardholder data (CHD), creating a CHD flow and environment diagram. You can apply the same principle to create an overview of your organization's valuable data by creating a connection between the network and the applications and understanding where the highest risks of a cyberattack are.

During the assessment, you might also reconsider whether your company really needs to hold and save some data, such as credit card numbers. With the increasing risks that comes with having it, such data has become a toxic asset, says security expert Bruce Schneier.

A practical approach to risk-based assessment

Measuring risks means understanding the probability and severity of a potential attack. Cyber risks cannot be automatically assessed from a single penetration test or by examining the number of vulnerabilities. A penetration test focuses on discovering vulnerabilities, but a discovered vulnerability does not necessarily mean that the associated infrastructure components represent the highest risk.

According to cyber researcher Enrico Branca, the usual cyber risk assessment methods are complex to carry out. Instead, he advocates for an alternative method, the Information Gathering Risk Assessment method, which he says simplifies the assessment. He focuses on executing an information-gathering phase and evaluating vulnerabilities associated with major areas, such as network communications and operating system and web server vulnerabilities, and including intelligence about the organization through metadata. Branca's technique involves passively scanning information associated with the target's infrastructure related to the data assets. This kind of assessment can be valuable, especially when it is necessary to evaluate cyber risks quickly.

Exploring your cyber risks: Probability (P) + Severity (S) = Risk (R)

The risk matrix is the best-known method for assessing risks. It measures the tradeoffs between two key concepts: probability and severity. Probability is the chance that an event will occur. Severity measures just how damaging potential consequences would be. Measuring cyber risks in this way will help you focus on the risks related to your infrastructure and data assets while creating an awareness of the impact that such an event would have were it to happen.


Vulnerabilities and their relation to cyber risks: Information gathering

Here's a summary representation of vulnerabilities researched by Branca that have a high correlation with cyber risks:

AreaType of vulnerabilityPassive scanning tool
Network communicationsSSL vulnerabilities, valid certificate, vulnerable communication, weak protocols and ciphersURL SSL scanner
Web applicationsWeb vulnerabilitiesOWASP ZAP passive scan
Client computers, server OS, web server OSDisclosure of Information, vulnerable servers, vulnerable OS, exploits, ramsonwareNMAP, FOCA, Metasploit
Documents/information onlineSocial engineering attacks, metadata leakFOCA, Metasploit

For NMAP and FOCA, note that many other tools are also available. These, however, are free and/or open source and have specific passive scripts and rules, among other features.

Here's a visual overview of the information-gathering process I've described:


Figure 3. Information gathering: A cyber risk assessment approach. 

You can use automated tools to scan URLs for SSL vulnerabilities, verify the validity of each certificate, and do a passive scan on your web applications using OWASP ZAP or servers using NMAP, for example. None of these techniques should execute invasive tests. Simon Bennetts, project leader for OWASP ZAP, recommends doing a passive scan while logged into the application that requires authentication, since this could uncover security issues. NMAP offers an entire module of safe and nonintrusive scripts that are very efficient at discovering OS vulnerabilities. On the other hand, you can find powerful commercial tools that can do the job.

Note that firewalls, routers, and other network components are excluded from the table above. Most cyberattacks begin with an information-gathering phase that targets web applications or unpatched web servers, frameworks, or operating systems. Social engineering is one of the key resources hackers have at their disposal. The more information hackers can find about your organization and its members, the higher the risk of a social engineering attack by way of malware or other phishing techniques.

Understanding cyber risk assessments: HackingTeam and OWASP cyber risks

Cyber risks can have widely varying impacts. Last year, HackingTeam, a Milan-based surveillance malware provider, experienced one of the most embarrassing data breaches a business of its nature could have. The 400GB data dump contained internal emails, client files, and financial information, among other sensitive documents. Part of this data even helped to reverse engineer a zero-day exploit. If HackingTeam had done a cyber risk assessment, it would have been very aware of the catastrophic effect that this event would have on the company's reputation. 

Now consider the Open Web Application Security Project. OWASP is a radical, open community in which emails and financial data are shared between members and publicly published on the Internet through mailing lists. The risks from disclosure of this information are not great, because it's already available to anyone on the Internet, but imagine if if an attacker wiped out the content. The data associated with thousands of contributions gathered over many years would be lost. Restoration from backups would take time, and even then some data could be lost.

Classifying vulnerabilities, probability, and severity

Each vulnerability is already classified on MITRE Corp.'s CVE website with a CVSS score. The higher the score, the more probable it is that a business could experience an attack through the listed vulnerability, especially if it is an open, publicized exploit. Understanding what component has this vulnerability and its relation to the business data asset helps you classify the severity of the issue for your organization.

In this network communications example, the data asset is a mail server containing classified client data that users access through a webmail interface. Here are the issues produced from an SSL URL scan:

Imagine that OprahSSL is found after a quick assessment. For most businesses that require a level of confidentiality and privacy in their communications, the exploitation of such a vulnerability would have catastrophic consequences. Since the vulnerability has a high probability of being exploited, the risk in this case is extreme, and the vulnerability should be fixed as soon as possible. Notice that no invasive test has been done, and we have identified the issue before executing a penetration test. 

Assess first, pen test later

By using an information-gathering phase during a risk-based assessment, you'll find major risks quickly. You might think that you need to carry out pen tests in order to identify cyber risks, but that's not the case—the approach and objectives here are quite different. A cyber risk assessment is designed only to define the probability and severity of an event. 

On the other hand, risk-based assessments are not a replacement for pen testing. They serve only to help create and prioritize an inventory of potential targets based on risk. Your risk assessment should focus on finding and categorizing vulnerabilities that don't require executing an attack first. The more vulnerabilities you find during the risk assessment, the higher your level of cyber risk. 

By assessing cyber risks, you'll not only help the business identify major vulnerable areas associated with its most valuable data assets, but you'll also help to focus the organization's efforts, more deeply evaluating those vulnerabilities so that you can protect the organization against the potential consequences should an attacker attempt to exploit them.