Most companies recognise the need for security and they recognise the need to independently evaluate their security.The traditional approach is an annual penetration test performed by a company like us. We test the outside IP addresses, the web application and then perform testing inside the network. The output of these tests are very detailed and formal reports. The problem is that the content of the reports, details of the security issues we find, are generally predictable and avoidable. We find huge number of issues that should be simple to find and avoid. This is not the high end of pen testing, it’s not zero day exploits that require someone very experienced to find, these are simple issues that should never exist.
For example, we often find include:
Blank MSSQL Password
Default Password on power distribution board
Default Password on external firewall
Versions of windows so old that they are no longer supported.
So what can companies do to better manage their security testing and use the consultant penetration testers to do the complex stuff, like crafting exploits, encoding payloads and defeating WAFs. We want to find the holes you don’t know about and show you how to fix them.
Our PenTest Portal is designed to do just that, to show our clients how to find some of the basic security issues themselves and establish basic practices, such as:
- Patching – make sure everything is up-to-date.
- Policies – you need simple build polices, . Don’t install things you don’t need. Don’t let users install software. Remove things you don’t need then there is less to attack.
- Defaults - Turn off all the defaults (vendors will leave every default on because it makes the systems compatible with everything e.g Weak SSL Ciphers, but you don’t need them)
- Passwords – change the passwords that is set by default and make sure they are not predictable (e.g the company name (we find that a lot)) and change them frequently.
If companies followed those simple actions above then 95% of our current reports wouldn't exist and we would spend our time finding the really complex issues that you need expert help to find and avoid.
CNS have built the PenTest Portal as a training tool for their customers. We run workshops from our office for those wishing to learn how to Penetration Test and those who are interested in finding out what it's all about.
Give us a call if you'd like to have a go.