Most IT professionals can only get through any given day on the assumption that their networks are protected against hackers. If you're among those, then you're likely satisfied that all of the basics are in place so that some random sociopath can't just log into your network, pillage your critical information, maybe plant some malware, and then leave. Question is: Are you sure?
The only way to be sure your network is really protected is to test it. You need to be sure that your operating systems (OSes) are up to date, that all of the proper application patches have been applied, and that you don't have any easily breached entry points into your network. This is in addition to practicing good network design that only lets people access what they're supposed to access, and that is properly segmented so that someone who breaches your perimeter can't do anything bad.
In short, you need to get yourself hacked so that you'll know where your weaknesses are, and then you need to fix what those (hopefully) white hat hackers found. White hat hackers are those you turn to when you want to test the quality of your network protection without involving actual bad guys or black hat hackers. What white hat hackers do is probe the defenses of your network any way they can, rating and recording your security along the way. That's called penetration testing or "pen testing," and what many IT pros don't realize is that you don't have to immediately hire an expensive pro to do it. You can start the basics of a penetration test yourself.
Highest Priority Tasks for IT and Security Professionals in 2018
"The most important thing is really vulnerability assessment, risk assessment," said Georgia Weidman, author of Penetration Testing: A Hands-on Introduction to Hacking. Weidman is also the founder and Chief Technology Officer (CTO) of Shevirah, a security company that specializes in penetration testing. "Those get overlooked. Companies waste a lot of money on penetration tests, when they have basic vulnerabilities." She said that the first thing an organization should do is perform basic vulnerability testing, and then fix the vulnerabilities before moving on to penetration testing. "Penetration testing shouldn't be your first step," she said.
Weidman also suggested making sure your company has taken the first steps in security awareness, including training on phishing and social engineering. She pointed out that the most secure network can still be penetrated if someone gives away the credentials for gaining access. These are all things that a good penetration tester would check before beginning any actual testing.
"If they're interested in how well their employees are trained for security awareness, then set up your own phishing test," Weidman said. "You don't have to pay someone to do that, and it's one of the biggest ways that people get in." She said to also use phishing through text messaging and social media.
Test Your Passwords
Weidman said that the next step is to test your organization's passwords and identity management capabilities. "Download Active Directory hashes of passwords and test them with password testers. That's something we do in penetration testing," she said.
According to Weidman, important tools for password testing include Hashcat and John the Ripper password cracker, which she said are commonly used in penetration testing. She said that, in addition to checking passwords from Microsoft Azure Active Directory, they can also be sniffed on the network by using a network protocol analyzer such as Wireshark. The goal here is to make sure that your users aren't using easily guessed passwords, such as "password," for their credentials.
While you're examining your network traffic, you should look for Link-Local Multicast Name Resolution (LLMNR) and ensure that it's disabled if possible. Weidman said that you can capture password hashes by using LLMNR. "I listen on the network and get the hashes, and then crack them," she said.
Authenticate Your Machines
Weidman said that once she's cracked the passwords, she then uses them to authenticate with the machines on the network. "There might be a local administrator because they all got imaged the same," she said. "Hopefully there's a domain administrator."
Once Weidman gets the administrator credentials, she can then use those to get into the secret areas on the machine. She said that sometimes there's a secondary authentication so she would need to crack those passwords as well.
Weidman said that, if you do your own penetration testing, then you should be careful. "When I do penetration testing, I go out of my way not to break anything," she said, adding, "There's no 100 percent certainty that nothing's going to go wrong."
Avoid Downloading Malware
Weidman said that one very useful penetration testing tool is the Metasploit free edition, but she cautions against downloading an exploit from the internet because it could also contain malware. "Don't attack yourself by accident," she warned. She said that exploits provided for testing frequently contain malware that will attack you.
Incidentally, Microsoft also provides a vulnerability assessment tool for Windows called the Microsoft Security Compliance Toolkit v1.0, which supports Microsoft Windows 10 , Windows Server 2012R2, and Office 2016.
Weidman cautions against thinking that penetration is some kind of deep dark magic. She said that instead it's important to cover the basics first. "Everybody jumps to penetration testing because it has a sexy name," she said. "But there's a lot of value to finding the low hanging fruit and fixing it first."