What to ask a prospective pentesting firm and common pentest findings.
Guest Speaker, Brian Johnson, President of 7 Min Security.Some questions to ask a prospective pentest firm:
- How long has your firm been in the pentesting business?;
- What methodology and/or framework does your pentesting practice follow?;
- What certifications do your testers have?;
- Note: there are a TON of certifications out there. A common one is CEH (Certified Ethical Hacker). [Brian] think[s] it’s a decent certification, but [Brian] like[s] to see organizations that hold>https://www.offensive-security.com/courses-and-certifications/) such as OSCP (Offensive Security Certified Professional), as that training is completely hands-on, and concludes with a 24-hour exam! From [Brian's] experience, the folks carrying OSCP know their stuff and can apply those skills effectively on a pentest.
- How will you keep our organization’s people, property, systems and data as safe and secure as possible during your pentesting activities?;
- Can you provide some references for past customers?; and,
- Can you provide some sample sanitized reports you’ve done for past customers?
- Weak passwords. Solutions like SafePass.me or this open source DLL (https://github.com/JacksonVD/PwnedPasswordsDLL-API) can actually block users from picking millions of bad/common/weak passwords.
- Insecure network protocols. This is one of [Brian's] favorite articles to show how certain network protocols can be abused, but also how to defend against that abuse: https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning/.
- IPv6 enabled. IPv6 is on by default in most versions of Windows, and can be abused to capture/crack user credentials. If you don’t have a legitimate need for IPv6 in your environment, it’s probably a good idea to disable it. See the “mitigating ipv6” section of this article: https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/
- Unpatched systems. [7 Min Security] often find at least one desktop or workstation that has fallen out of patch cycle completely or is way behind on patches, and take that system over to further our influence in the network.
- Passwords stored in Active Directory Group Policy Objects. Back in the day you used to be able to store passwords in Group Policy Objects and push those policies out to machines.
- Unfortunately, the encryption key for those passwords is public knowledge, meaning if we find encrypted password values on a pentest, we can crack those instantly. Microsoft has a great write-up on this issue - and a cool script to audit your environment for these vulnerable passwords - here: https://msrc-blog.microsoft.com/2014/05/13/ms14-025-an-update-for-group-policy-preferences/.