7 Questions with Lead Penetration Tester

Penetration tester shares his wealth of expertise and experience in an exclusive interview with CTRL Group.

We have interviewed our very own Ishaan Vij – our Lead Penetration Tester. With his experience at Infosec Ventures, Safe Security and HCL Technologies, he brings a wealth of knowledge and experience to our operations. Below he shares insights and observations that he has seen in his role:

Q: What are some of the common themes and mistakes you see in organisations?

A: Across the board, I have noticed that most organisations stick to default credentials. These are the login and passwords that come with the package, or that are very intuitive like ‘admin, admin’. These are often the causes to major breaches, as poor password management makes it very easy for hackers to breach the systems internally and externally.
Similarly, organisations generally leave their default files open. As an easy starting point for malicious actors, opened default files can give access to their confidential files, and as a result, leave organisations susceptible to breaches.

Interestingly, people are still vulnerable to MS17-010, or a series of Microsoft software vulnerabilities and exploits created back in 2017. Patches have already been designed to secure all supported Windows operating systems. Yet, the critical problem remains as many versions of Windows require the software update to be installed so they can be protected.
In short, this vulnerability affects older versions of Microsoft operating systems and was essentially a way for Windows machines to talk to one another and other devices for remote services. With the exploit unpatched, all the attacker needs to do is send a malicious packet to the target server, and the malware propagates and enables a cyberattack.

Q: Where do you see investments being driven for cybersecurity solutions?

A: At large, organisations are investing in artificial intelligence (AI), machine learning and cloud systems to minimize their risk profile. AI and machine learning can recognize patterns in data pools to enable security systems to learn and develop their innate capabilities. This is exciting because organisations can stay up to date with the latest vulnerabilities vs. what they currently store.
Another key use case for AI and machine learning is its ability to reduce incident response times and assist companies in complying with security best practices. To a large extent, that is what we do here at CTRL Group. We are always concerned with understanding the threat landscape and what it means to our clients as we monitor their assets.

In terms of investing in cloud systems – companies are migrating to cloud systems so all their systems and files can be stored off-premise. In this kind of setup, companies rely on the security of the cloud providers which minimizes their risk exposure to a large part. The theory behind it is that traffic gets to the cloud instead of being routed to the servers directly. The cloud analyzes the traffic and only allows access to legitimate users. Any traffic that the cloud does not approve is blocked from the server. Simple solution and something more companies are adopting from a security perspective.

Q: What kind of defenses are organisations looking at for the future? And how effective do you think they are?

A: There are largely three kinds of defenses that organisations are looking at for the future – security monitoring, threat detection and firewall systems. Most organisations are looking at security partners to provide monitoring services, such as a cybersecurity operations center. This is designed to provide 24×7 monitoring across the company’s assets and enable rapid response capabilities to address breaches.

Companies also want defense mechanisms to strengthen their detection capabilities such as an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). These tools can analyze network traffic for signatures that match known cyberattacks, as well as stopping suspicious packets from being delivered. The technology here is improving every day and it is proving to deliver great value as each year goes by.

Lastly, firewalls are where a lot of investments go towards protecting internal systems and web servers. As a basic measure, firewalls prevent unauthorized internet users from accessing private networks connected to the internet. As simple as this is, it significantly reduces an organisation’s risk profile when coupled with security processes and policies. It is a cost-effective and impactful approach to defending against hackers.

Q: What is your favorite type of penetration testing and why?

A: I like internal penetration testing the most because it gives me a great sense of achievement when I find business critical vulnerabilities – especially in larger organisations such as Fortune 500 companies.

Q: How well have phishing attacks evolved throughout the years?

A: Phishing attacks have become very creative over the years. The latest attacks are very authentic and manipulative at the same time. Very impressive! New styles of phishing attacks fool even the most educated and cyber-aware individuals. Many have fallen for our simulated attacks, which has led to compromising a lot of systems externally and helping us gain access to an organisation’s internal systems.

People should not forget the ramifications of a phishing attack. As an example, although Sony Picture Entertainment had no major vulnerabilities in their systems, hackers used phishing emails to penetrate their computer networks in 2014. This happens all too often. Many top Sony executives received fake Apple ID verification emails and one victim actually provided his/her information to a fake verification form. The hackers then used these credentials in conjunction with the employees’ LinkedIn profiles to figure out their Sony network login information. Following that, the same credentials were utilized to send malware to the company’s computer networks. Links to a collection of stolen documents, financial records, and the private keys to Sony’s servers were posted online a month later.

Q: Do you think penetration testing will be automated in the future?

A: Along with everything else, I do believe that penetration testing can be automated but only to a certain extent. Manual testing will always be needed. This is because critical bugs and weaknesses in companies’ systems cannot be spotted via tools, and only with human actions and experience. In the world of hacking, you are looking at logical flaws, and constantly thinking about how one flaw can lead to another. Machines are not smart enough to tackle this kind of problem-solving.

Q: Does AI excite you?

A: AI should excite everyone! The power of AI is immense. It will touch every facet of our lives in the coming decades. I love thinking about how AI will help people in need and be a productivity booster in our day-to-day activities. We are already so reliant on technology so just imagine what else technology can help us with when it comes to our finances, health, and mental health.

 

***

Regardless of your sector or size, attackers see each company as a potentially exploitable prospect. It is more important than ever before for organisations to hone in on cybersecurity practices and boost their capabilities to mitigate cyber risk. Read why penetration testing is important for organisations to remain safe and secured here.

If you would like to learn more about our penetration testing capabilities, get in touch with our team to set up an initial consultation.