The Power of Information
Information within today’s society is a very interesting topic for discussion. Add on security and we will have an all out debate. Overall, information rules our society, everything runs off of some form of information in one way or another. This is why information is power. For example let’s say company xyz.com was breached and proprietary information was obtained by the attackers. Well not so good for xyz.com but lets analyze the motivations of such attacks. The majority of the time the motivation behind such attacks are to gain information which will lead to financial gain for the attackers. There are many breaches every year, however the exact numbers are out of scope and not what this article is intended to be about. Information is a priceless commodity which in the wrong hands can bring down an entire company, cost the company lots of money, ruin reputations, and feed the attackers to breach more companies. Knowing this sheds light on how much power information has within our society.
What is information? Information is just about everywhere to name a few, data, databases, webpages, intellectual property, credit card numbers, identities, social security numbers, drivers license numbers, addresses, etc. I believe there is a need to protect sensitive and confidential information. This boils down to how to classify information with categories such as Top Secret, Classified, and Public to name a few classifications. If information is not classified by the nature of the information then how would we know what to secure and what information to make public? Therefore, information classification should be one layer within a multi-layered information security program.
As a pentester I get a thrill out of trying to circumvent security layers and gain unauthorized access to a box who doesn’t. However, the main reason behind a pentest is to identify vulnerabilities and use the vulnerabilities to successfully breach a organizations system and report the risk to the organization of the specific vulnerabilities and exploits discovered. Well to truly report the risk of a vulnerability to an organization the tester needs to analyze what can be done once he has successfully exploited a system. This is called post-exploitation. Is it enough that I got a shell on a box during a pentest? No, a full scale penetration test should include post-exploitation tasks too see what information can be gained from the attack. Yes it is helpful to let the organization know if a server is vulnerable to a remote code execution vulnerability or a SQL injection attack. However, it would be more valuable to the organization if the tester was able to identify and gain access to sensitive information within the institution. There are numerous security researchers who actively research post exploitation and methods to achieve different types of information from a system or network. Metasploit started to port post-exploitation scripts into actual modules. As well as Carlos Perez, who has done some awesome research and crafted some excellent scripts for post-exploitation work.
To sum this all up, information is key to any profession within the security industry. My opinion is not new, I just felt compelled to write a brief blog stating my opinion. Overall, my motivation behind this article was seeing many client pentest reports that companies gave them automatically generated scan reports and nothing else. This is not good for the simple fact that it does not indicate a proper penetration test was conducted for the client. For a great description of what penetration testing should include for an organization I highly recommend heading over to PTES (Penetration Testing Execution Standard).
