Steve Stasiukonis started doing pen testing professionally in 1997, when a former classmate of his confided that his company was struggling to identify network vulnerabilities. Steve had been employed in document management and information security at that time, and saw an opportunity. He recruited a colleague and together they build a port scanner that allowed them to find vulnerabilities on machines and then identify the risks associated with companies’ security postures. They built a small company and, after a few years, sold it to a publicly traded organization. Later, when the new management wanted to go in a different direction, the two of them bought the company back.
At that time—around 2000—companies didn’t really believe they needed pen testing until after they were breached or experienced an incident. That business, Secure Network, really took off when realization dawned across industries that it was better to be preemptive.
Read on to discover what Steve has to say about pen testing!
Q: What are some of the biggest threats to businesses?
A: Well, obviously, the attacks coming in from threat actors across the globe. But some of the biggest threats right now, we're seeing ransomware – specifically, ransomware associated not just with the requests for a ransom for a decryption key, but also a ransom for the destruction of data that was exfiltrated out of the company's network. You know, everybody can recover from rebuilding systems. Everybody can recover from having to start over. It's painful, but they can do it. But when you have all your data exfiltrated and displayed on the internet and it happens to be your client's information and all their personal information and all their financial details, that is incredibly difficult to recover from. The reputational damage that occurs when that happens is so hard to deal with -- not to mention the litigation from the people who were compromised as a result. It's expensive and it's going to be a real big problem. We're seeing it already. So, for businesses today, that's a threat that they're all scared about.
Q: Do the threats vary by business size or is it sort of the same strategy across the board?
A: We haven't seen them discriminate. In the breaches that we're seeing, they don't seem to care about the size of the business. We're seeing patterns where they go by vertical market. We're seeing certain types of businesses being attacked and based upon those business sizes, you know, the amount of revenue could be different. And you know, the ransoms are still ridiculous numbers. I don't know what their strategy is. Perhaps they're shooting high in terms of ransom -- but they just seem to go after anybody who will possibly pay.
Q: We've had small and midsize businesses that sort of feel like they're not at risk because they're so small, but it seems that you're not necessarily finding that to be true?
A: Correct. For a while, we saw a pattern where they were going after print shops producing all these different publications. They were worth millions of dollars in terms of revenue for that particular business, and they got locked up. The threat actors wanted something like $2 million. Then we saw another print shop get locked up who probably ekes out maybe a little over a million dollars in a year --and the ransom was the same. The threat actors just assume that if it was good for one, it's good for many. I think they have also realized that people are insured for this now. That's the other thing that levels the playing field regardless of business size, the thought that the business must be insured for this for let's say at least a million.
Q: So, what is the cause of most breaches?
A: I think the predominant cause is probably a lack of education on the part of users. The majority of the attacks that we've seen are the result of spear phishing, which is nothing new. It's an attack vector that is incredibly effective. Once again, I think that end users who don't understand what they're clicking are the path of least resistance.
It's an interesting question and I'll tell you why. You know, I had a CISO tell me one day, “All my people are scoring between 80 to 100% on this multiple-choice questionnaire that we put out to train them to become more security aware and not to be victims and click on links -- but we still get phished and we still have people click on stuff. It’s been so disappointing because we've made an investment in these end users and we still have a concern.”
When we started to talk to the end users, they took the test and they passed it, but they don't have any skills. They don't know how to read a URL to understand that something was fake -- that, you know, T and M were replaced by two Ns in the domain on the email. They haven't attained any skills to understand what they're actually looking at. The thing with most companies is they really have to train those end users to be very aware of what they're looking at as opposed to just meeting the criteria of a multiple-choice questionnaire quiz.
Q: That's interesting. I've read that you said the real risk isn’t breaches as much as it is intelligence gathering. Could you talk a little bit about that?
A: It’s like anything else. The good hackers that are out there, they have a plan and they put it together. They've done their homework on companies and they look into them and they identify the vulnerabilities based upon what the end users have given up. So they go to sites that are out there. For example, like the dark web diggers that have taken the stolen usernames and passwords, publicize them on the open internet. You know, if you identify a domain that belongs to a company and 200 to 300 employees have given up a password as a result of another breach, let's say like the LinkedIn breach or the Adobe breach or something from another compromised company, threat actors gather all that data and plan their attack by leveraging all those recycled usernames and passwords. If you can get a foothold into somebody's mail, you've now got a foothold into that network and you can lock that person out and start resetting passwords on systems. So, the intelligence gathering is a big deal. It is a risk. From a pen test perspective, if you leverage the intelligence, it makes gaining access to a network much, much easier.
Q: Can you talk about the different types of penetration testing?
A: The goal starts with finding the devices that belong to that particular company. So, intelligence gathering is where it starts, finding every IP that's tied to that business, perhaps even other businesses that are tied to that are an important find. So, once those are identified, then finding a vulnerability on that external perimeter-facing device is the goal. If you can exploit and leverage that and enumerate and get privilege, that's a big deal. That's why patching is so important. It's so important to make sure that everything is up to speed according to the manufacturers.
A good example is the Citrix NetScaler debacle that just happened. You know, it took a while before that patch got out, but I don't think enough people have probably even patched those devices. The external stuff is really important. The other thing is all the other external stuff that's out there – for example, web applications. Testing a web app that was stood up by a company that had a vendor write it. It's vulnerable to cross-site scripting or SQL injection. You've got to test, because if there's a coding mistake inside there and somebody is able to get privilege into that web application and then retrieve a database of usernames, passwords, PII, financial information -- it's a big deal.
People think by policing the cloud, they've eliminated some risks. You know, you've shifted risk. You've put it someplace else, so you still have to exercise due diligence on that other external stuff. You know, wireless applications could be an external thing. It could be also an internal thing. But security when it comes to pen testing for us, the external stuff -- the web application from an external perspective of the two biggest things. From an internal thing, you know, once we're on the inside of a network, it's really important to test that. The key is that you want to see it as locked down as well as the outside. So, if you get on the inside of a network and move around inside there and enumerate and get privileged and become a domain admin, there’s visibility to information that you shouldn't have.
Pen testing the inside of the network is just as important as doing a perimeter pen test. You want to make sure that you're not this one big happy family inside this network, but rather you're looking at everything on the inside being locked down just like it would be from the outside.
The other pen testing area is wireless stuff that's out there. Once again, we put a lot of faith in wireless applications and tools and systems that are out there, but I still think you need to be able to test what's happening on that thing and, and how you're able to authenticate to it. Air marshal your environment to make sure your employees aren't plugging stuff in and standing up their own wireless networks.
We pen test for the other different types that are out there as well.
To find out about more about Steve’s thoughts on why cybercrime is booming, along with his anecdote about the time Secure Network shipped a man in a box a la Ocean’s 11, be sure to check out part 2 of our interview (coming next week)!