We’ve discussed the importance of penetration testing a lot recently because many organisations aren’t aware that it should be an essential part of any cyber security strategy. Many successful attacks could have been mitigated – or prevented altogether – with effective testing, but too few organisations commit to regular tests.
Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
This blog focuses on crimeware, following our discussions of web application attacks, insider threats and POS intrusions. Crimeware is a type of malware designed specifically to automate cyber crime. It has many uses, but the most prominent is to encrypt users’ data and demand money for the decryption key. This forms its own subcategory, ransomware, a term that reached the global conscious with the WannaCry attacks in spring 2017.
However, many other notable recent cyber attacks were also caused by crimeware.
- In 2016, millions of people across the world were targeted by Locky, a form of ransomware that tricked users into opening a compromised Microsoft Word document. Victims were sent the documents by email and encouraged to enable macros. If they did, a malicious executable ran and encrypted the user’s files. They were then told to buy a decryption for between approximately £140 and £280 (payable in bitcoins). It’s unknown how many people paid the ransom, but ZDNet reports that, in general, about two thirds of people meet criminals’ demands. We always recommend that you don’t pay ransoms, as there is no guarantee that your files will be returned. Locky resurfaced in August 2017, but was limited almost exclusively to the US.
- ATM malware is currently available to buy on the dark web, according to Kaspersky Lab. The malware is posted on an online market and can reportedly empty ATMs with a vendor-specific application programming interface without the need to tamper with the bank’s users or their data. The malware costs $5,000 (about £3,800), which is expensive for an off-the-shelf exploit kit. In July 2017, Proofpoint discovered malware for sale for as little as $7 (about £5).
- A little more than a month after WannaCry, a second massive cyber attack struck hundreds of organisations across the globe. Dubbed NotPetya (for its similarity to the Petya malware), the malicious code targeted Windows operating systems, infecting the master boot record to execute a payload that encrypted the NTFS file. Researchers initially thought it was ransomware, as infected users were given a ransom demand, but this turned out to be a ruse. NotPetya was a wiper, meaning it deleted files and there was no way of recovering them.
How can penetration testing help?
Organisations can be infected by crimeware in many ways, but it mostly comes down to technical vulnerabilities (as with NotPetya and the ATM malware) or human error (as with Locky).
According to an August 2016 report from Osterman Research, emails with malicious links and malicious attachments account for 59% of ransomware infections. Seeing malware authors bundle leaked exploits in order to improve propagation rates highlights the need for testing of the internal corporate network. This is something that is often overlooked in favour of purely testing the perimeter.
A network penetration test will assess the resilience of your infrastructure security controls and the ways an attacker might gain unauthorised access. These tests look for holes in your network perimeter, looking at, for example, web servers, firewalls and Wi-Fi.
A social engineering penetration test combines our Simulated Phishing Attack and Phishing Staff Awareness Course to help you identify and address your staff’s vulnerability to social engineering threats. It will teach your employees how to spot the signs of phishing emails and respond to them.
IT Governance is a CREST-accredited provider of penetration tests, and we offer a range of services to help organisations of all sizes manage their cyber security strategies.
If you want to learn more about penetration testing and how we conduct our tests, you should watch our webinar Cyber security: protecting your business with cost-effective penetration testing. You’ll find out:
- How penetration testing can help prevent the most common types of attack;
- The differences between a penetration test and a vulnerability assessment;
- Why penetration tests are vital to uncovering vulnerabilities before criminals do; and
- How to conduct a penetration testing programme.
You can download this webinar from our website, where you can also browse our full back catalogue and see what we’ll be covering in the future.