• Skip to primary navigation
  • Skip to main content
  • Skip to footer
Carbonsec – Cybersecurity Consultancy Services Company

Carbonsec - Cybersecurity Consultancy Services Company

Cybersecurity services for businesses to be hackerproof, because it sucks to waste unnecessary time dealing with cyber criminals instead of focusing on business.

  • Services
    • Penetration testing
    • Red Teaming
    • ICS SecCheck
    • Cybersecurity Consulting
    • Secure Static Code Review
  • Solutions
    • Automated Penetration Testing
    • Breach and Attack Simulation (BAS)
    • Simulated phishing attacks
  • Training
    • Security Awareness
    • Security for Developers
    • Purple Team Coaching
  • News
    • News
    • Blog
  • Company
    • About Us
    • Leadership Team
    • Careers
    • Partners
  • Contact
  • SLO
  • Email
  • Facebook
  • LinkedIn

Cybersecurity 2021 – Man or Machine?

Continuous security testing is a major challenge in many organizations - the main reasons are a lack of trained pentesters and financial resources. How can you optimise the process and establish high-level cyber security?

16. December, 2020 by Grega Prešeren

Slovenia is one of the countries where security testing has already been established in the process of comprehensive cyber security management. This attitude is crucial when taking further steps towards cybersecurity improvements. It would be reasonable to perform a security test after any change that could affect the overall security of information assets.

Nowadays, information systems are adapting to business needs more than ever before. We add new users, change their roles (rights), and connect new devices, including the mobile ones. The settings of directories, authentication systems, firewalls, and other devices are subject to the constant business-driven changes. Furthermore, there are more and more vulnerabilities that we need to manage. Therefore, there is an increasing need for constant, continuous, and consistent security testing.

Continuous security testing is a great challenge

At least two reasons make continuous security testing pretty much impossible:

  1. A huge number of trained pentesters or equivalent security experts would be needed to offer continuous security testing to all companies. There is a shortage of these professionals, not only in Slovenia, but also worldwide, and there is no end in sight to this situation in the near future. 
  2. Such security tests would be very expensive.

The consistency of the service has always been a burning issue. For example, when you negotiate with builders to make a deal, you would most likely choose someone with references and experience, and you would probably rather pay a bit more to get higher quality. In consulting, the discrepancy between the quality and consistency of the service provided is even greater. Even if you choose the best contractor, an additional drawback is the limitations, which are a pre-agreed compromise with the client, and are often related to the price of the service.

To point out one example of such limitations: most clients prefer security testing to be performed between 8 a.m. and 4 p.m. However, hackers don’t really care about your workday. They will probably carry out the attack when you least expect it. Therefore, we recommend testings are performed at unusual hours.

Another advantage of night testing is the co-occurrence of the automatic processes, such as backups. During these processes, important passwords are sent over the network and the pentester has the opportunity to hack them, which makes test results even more reliable. Last but not least, we must also take into account the fact that the consistency of the service provided may depend on the ‘daily form’ of the service provider, and recently also on the limitations associated with measures to contain the Covid-19 pandemic.

Nowadays, most companies are already conducting ongoing security testing. They usually use vulnerability scanners that are very user-friendly. Using CVSS, these tools also rank vulnerabilities, so companies tend to eliminate them this way – critical first, then high, and so on, as long as the elimination of the vulnerability is cost-effective.

Tackling vulnerabilities by rank can be misleading

A manual security test sometimes reveals that some critical vulnerabilities cannot be exploited at all. On the other hand, there are quite often some very important vulnerabilities ranked with the info level. It may also happen that two vulnerabilities with a lower rank can be exploited together, but not individually. This phenomenon is called vulnerability chaining. In such cases, the model of eliminating vulnerabilities by rank is not appropriate, as we usually do not eliminate all vulnerabilities that can be exploited. On the contrary, we might eliminate vulnerabilities that could not be exploited anyway.

Therefore, it would be better to try another approach: to manage possible exploits instead of vulnerabilities. A tool that enables such tests is quite a novelty in the industry; its advantage is that it detects vulnerabilities as well as tests the actual possibilities of intrusion. And most importantly: it reveals the root vulnerability which enables us to break the chain of vulnerabilities if we eliminate it. This prevents the possibility of intrusion, although there are other vulnerabilities in the chain. And this is our main goal: to prevent exploits and intrusions.

Use strong passwords

I would also like to point out a vulnerability that exists in most networks, but is not detected by any vulnerability scanner: weak passwords. Passwords compliant with outdated guidelines regarding length, complexity, frequency of changes etc., are often weak because they can be found in dictionary attacks. Therefore, it is very important to check such vulnerabilities with an automated password cracking tool.

Which security testing can be fully automated?

Automation makes sense and is possible for technologies that are used in most companies. These are called domain technologies; the Windows domain is typically used. Protocols, such as NetBIOS, SMB, LDAP, different versions of NTLM etc. are used. Vulnerabilities found in these technologies are very similar or even identical in all companies, especially if the default settings are used. To show possible consequences of a cyber intrusion, it also makes sense to automate lateral or vertical movements, which show how a hacker can use an abused device to abuse other devices connected to the network and penetrate the most confidential information. This is exactly the point where manual security tests performed by pentesters encounter an important obstacle – time to carry out the project. Most pentesters are able to perform lateral movements, but usually they run out of time.

Automated penetration testing by the book

Or as pentesters like to put it: follow a methodology. One of the recognized methodologies is called PTES and follows 7 key steps. It turns out that all these steps can be automated where the findings of the previous step apply to the following steps. To preserve integrity, it is reasonable to include all techniques of the MITRE ATT&CK  framework.

Many doubt the reality of automation. But it is malware itself that proves it is possible. A forensic analysis of ransomware can be found online, showing the techniques used by the MITRE ATT&CK framework. If black-hat hackers know how to automate this, why wouldn’t the white-hat ones do it as well?

Technologically, the automation of security tests can be performed in two ways. With or without an agent. The agent-free solution runs a real automated pentest and can test all devices on your network. The solution with an agent performs attack simulations on and between devices with an agent installed. Each solution comes with advantages and disadvantages.

However, the key message is the common feature of both types of tools: they do not report false positives. Why? Because these tools not only detect vulnerabilities, but also safely check for possible exploitation of these vulnerabilities.

1000 pentesters on their job while you’re having your morning coffee

The results of automated security tests have so far always surprised both the customer and us. We were usually just having our morning coffee when the computer with PcySys PenTera installed already cracked several domain passwords and gained the privileges of a domain administrator. It gained complete control over the Windows domain. And most importantly, once the initial integration is complete, such a security test can easily be performed by anyone in the company. Feels like 1000 pentesters are just a click away … anytime.

What would an optimised security testing be like?

At Carbonsec, we see the future of security testing in the perfect ratio between automation and manual testing. Automation makes sense and is possible when using the right tools. This is the only way we can continuously and consistently perform security tests that give relevant results: which intrusions are actually possible on your network. However, automation does not and cannot work for all technologies. Typically, dedicated applications (web, mobile as well as client) still need to be tested by qualified pentesters. The same applies to demanding analyses of network architectures and other forms of cyber security consulting.

These new tools allow us to intensively focus on testing those segments of the network where our work is irreplaceable.

Blog,  News

Let’s work together

Get in touch with us and send some basic info about your project.

Get Quote

Footer

ABOUT

Cybersecurity services for businesses to be hackerproof, because it sucks to waste time dealing with cyber criminals instead of focusing on business.

  • Email
  • Facebook
  • LinkedIn

CONTACT

CARBONSEC Ltd.
Hacquetova ulica 8
1000 Ljubljana
Slovenia

info@carbonsec.com

QUICK LINKS

  • Join our community.
  • Terms & Conditions
  • Privacy Policy
  • Cookies

SERVICES

  • Penetration testing
  • Red Teaming
  • ICS SecCheck
  • Cybersecurity Consulting
  • Secure Static Code Review
  • Training

Copyright © 2021 Carbonsec · Created by MOD mod.si

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

X
Število kibernetskih napadov se je v zadnjem letu podvojilo. Vas zanima, kako se jim lahko izognete? Postanite del naše skupnosti.
In the last year, the number of cyberattacks doubled compared to the year before. Do you want to repel potential threats? Join our community.