Georgia Weidman on penetration testing and the future of cybersecurity
Georgia Weidman wrote the book on ethical hacking (literally). Since its publication in 2014, Penetration Testing: A Hands-On Introduction to Hacking, has helped numerous students and aspiring security professionals get their start in the field.
When Weidman herself was just beginning to study cybersecurity, though, the idea of “ethical hackers” was still a foreign concept to her. However, when she first encountered them at university, she knew she’d found her calling. As Weidman recalls:
I competed in the Collegiate Cyber Defense Competition (CCDC) when I was in college. The student task was awful: Defend a network actively under attack while keeping business running. But the red team that was tasked with making our lives miserable seemed to be having a good time. I didn’t know much about hacking yet, so someone putting up a message box on my desktop that said “I like turtles” seemed really cool.
Before that I thought all hackers were criminals. Seeing ethical hackers at work, I knew I wanted to be like them when I “grew up”.
Weidman’s technical skills are formidable, and her book gives readers an in-depth introduction to the fundamental tools and technologies used in penetration testing. But she’s quick to point out that the day-to-day work of a penetration tester is about much more than just breaching insecure networks — and that to function effectively as a pentester in a professional setting, oft-overlooked “soft skills” are essential:
Even more important than technical skills are communication skills. The goal of a pentest is to help your clients improve their security posture. They can’t do that if your written report is incomprehensible or your responses to customer questions are ineffective. Particularly important is being able to convey technical information in a way that can be understood by non-security people.
Even more important than technical skills are communication skills. The goal of a pentest is to help your clients improve their security posture. They can’t do that if your written report is incomprehensible.
Poor communication is something that the cybersecurity industry at large still wrestles with. Enterprise IT personnel struggle to get across the importance of phishing awareness and regular updates to non-technical staff. Data breach experts lament the fact that companies are often reluctant to engage third-party researchers when they attempt to disclose a breach (when they aren’t completely uncontactable).
The world of penetration testing is no exception to this trend. Many companies are resistant to penetration tests and red team activities, either failing to see the value in such tests or harboring suspicions about external groups accessing their networks. In fact, the role of penetration testers is so poorly understood that a few security professionals have even been arrested in the course of their work!
There is clearly an issue with people’s awareness — or lack thereof — of the work of ethical hackers. Weidman acknowledges this, but she also says that the cybersecurity industry itself shares a large part of the blame for the current state of affairs:
Part of the problem, I think, is that the public’s perception of hackers and hacking is incredibly negative. The average person’s mind immediately jumps to a criminal in a black hoodie. People don’t think of hackers as the people toiling to make the world a more secure place for all. So naturally the idea of turning hackers, even professional-looking ones in business attire, loose on their networks is a bit scary.
Another part of the problem comes from the security industry itself. One need only browse the vendor area at a security conference to see that there are a multitude of solutions to any security problem that might ail your enterprise. Almost without fail the marketing literature is something to the effect of “If you install our product, all your security problems will go away.” Well, all these companies that are being breached had things like next generation firewalls, intrusion detection, data loss prevention, etc. So what gives?
We in pentesting know that sophisticated attackers buy or pirate the preventative solutions companies use to ensure the attacks are able to get through. Additionally, security is far from a one size fits all industry. Even if the preventative solution you buy is effective at decreasing the risk of a problem that your network has, it will need to be monitored and tuned to meet your individual needs.
But it is easy to see why “Install our product and all of your security problems will go away” trumps “If you perform a penetration test, you will understand your risks and the steps necessary to mitigate them.” I’d buy the preventative product too, even though you need to do security assessments to even know what preventative technologies will actually help you. I know that, you know that, but the general public does not know that.
Sophisticated attackers buy or pirate the preventative solutions companies use to ensure the attacks are able to get through
The overall lack of understanding of cybersecurity and the work of security professionals has far-reaching consequences. And unfortunately, it’s not just people working in the industry, or in enterprise settings, who are affected.
As Weidman notes, the average user’s misunderstanding of cybersecurity — fueled by sensationalistic media coverage and abetted by the security industry’s own marketing efforts — can lead to a dangerous kind of apathy:
The biggest issue is that the general public sees hacking almost as a sort of dark magic. How can we possibly protect ourselves against that? Especially with the constant barrage of media coverage of big companies and governments being breached by “sophisticated attacks” wielded by “nation-state” actors, there seems to be an air of inevitability about being hacked. If there’s nothing we can do to stop it, why bother following any security best practices at all?
On the other hand, security vendors are preying on this fear with promises that their apps and products can solve your security problems. The same companies that are selling en masse to enterprises often have a personal edition for your phone and laptop. If you’ve paid $39.99 to Silver Bullet Company LLC, then you don’t have to worry about those pesky pop-ups asking you to update your computer, right? And yet most of the attacks you run into as an individual can be thwarted with some basic security hygiene.
Getting people to take responsibility for their own security, and to educate themselves about how to do this, is something we stress quite frequently. But perhaps somewhat naturally, we often think in terms of defense: in terms of making a system as secure as possible in order to thwart all possible threats.
We asked Weidman to offer security recommendations from the perspective of a potential attacker — in other words, to tell us what an everyday computer user could do to make themselves so “hard to hack” as to discourage a malicious actor:
The low-hanging fruit, or easy wins, for penetration testers and attackers alike are missing patches, insecure credentials, and phishing. A large percentage of breaches come down to these things rather than sophisticated zero-day attacks.
Update your software, all of it. I realize that these days that’s easier said than done. We have tons of devices and countless operating systems, apps, and extensions that need to be kept up-to-date. Corporations hire full-time roles just to manage the IT assets and yet our home networks are now more complex than a small to medium business network was just a few years ago. But tools like Rapid 7’s Metasploit and my own company Shevirah’s Dagah can show you just how easy it can be to take over a traditional computer, mobile device, or even Internet of Things device that has not been kept up to date.
Authentication in general is a mess. Whoever decided we were going to use passwords never envisioned the security landscape we have today.
Authentication in general is a mess. Whoever decided we were going to use passwords never envisioned the security landscape we have today. Devices and software are still coming with default passwords like “password”, “admin”, or “alpine”. Even in 2019, “123456” is still the most commonly used password! There’s no excuse for that level of insecurity these days.
And our end users are at a loss. They are supposed to have a unique long, complex, non-dictionary-word-based password for every device, website, account, etc. A password that is too simple runs the risk of being guessed or brute-forced by an attacker. Reusing a password means that if the password records of a social media site are compromised, the attacker can use the same stolen password to log into your online bank account. They have to remember these literally hundreds of passwords because writing passwords down means they are likely to be stolen. Some applications support two-factor authentication or biometrics, but not all of them. And security researchers keep making headlines for finding vulnerabilities in password managers. So, what exactly is a person to do?
At this point using password managers and two-factor authentication where available is your best bet. No, it isn’t 100% secure, but it is far better than the alternatives of reusing guessable passwords.
And if the easy wins like missing patches and default credentials fail, the attacker can always just ask the user to hack themselves. According to the 2019 Verizon Data Breach Report the leading cause of data breaches is phishing. You’ve probably had to sit through a security awareness training by now and know the mantra, “Don’t click on phishy links!”
But detecting sophisticated phishing attacks is easier said than done. Some attackers research targets online, register legitimate domains that look like the real thing, and otherwise make their communications seem legitimate. Worse still, our security awareness training almost universally focuses only on email phishing. But users can be targeted in any way it is possible to deliver a link: text message, Twitter, QR codes, just to name a few. Be vigilant with all links.
Weidman is currently working on a revised and updated second edition of Penetration Testing: A Hands-On Introduction to Hacking. We asked her to comment on the changes that she’s seen in the threat landscape in the 5 years since she first wrote the book:
The issues with mobility that it seemed I was the only one shouting about 5 years ago have gotten massively worse, and, while solutions such as Mobile Threat Defense do help keep mobile devices from being breached, the mobility in the workplace problem is far from in hand at this point. And now, of course, IoT has also invaded the workplace.
Also, we outsource much of our data and functionality to cloud providers at this point. Between bring your own device (BYOD) and software as a service (SaaS) solutions, much of what makes up our risk landscape isn’t controlled by the enterprise IT department. What if the provider you use for email or document sharing or customer relations uses “admin” as a password…and is breached? What if an employee doesn’t update their iPhone to the latest version of iOS and downloads a malicious app? They come into work the next day with a root level trojan on their phone and it starts scanning the corporate network for additional vulnerabilities to attack next.
Weidman’s discovery of the gaping hole in the security posture of enterprises around mobility led to the foundation of her company, Shevirah, which is focused primarily on mobile device and IoT security.
We’ve written before about the security issues around IoT devices, as well as the challenges that they pose to the enterprise, healthcare, and government sectors. Smart devices are proliferating at an incredible rate — and many manufacturers rush products to market with little concern for security. Meanwhile, IoT security is still overlooked by many (even within the cybersecurity industry).
We asked Weidman if she thinks that the world is prepared for this new reality and, if not, what could be done to make the Internet of Things safer:
I don’t think we are at all ready for it, but security will always take a backseat to functionality. By and large I think IoT will go the way mobile has: Put preventative things on it, ignore it, and hope for the best. Hardly anyone puts BYOD in scope in their security testing, but attackers don’t follow rules of engagement!
IoT seems to be mostly going into that same category of things we don’t test and then buy all the products the vendors can come up with to save us from the vulnerabilities. This is, as discussed previously, a very incomplete security program.
To have any chance of getting this under control we have to understand what we have on our networks and what our risk profile is around them. The common excuse is that we don’t keep our customer data on the IoT coffee pot. However, if the IoT coffee pot has an exploitable vulnerability and is on the same network with devices that do have customer data that an attacker may be able to pivot to, then the IoT coffee pot could lead to a major breach. Burying our heads in the sand and throwing preventative products at the problem will only work for so long.
SecureMac would like to thank Georgia Weidman for taking the time to talk with us. If you’d like to learn more about Georgia’s work, you can follow her on Twitter or visit her company’s website at Shevirah.com.
If you are interested in reading advance chapters of the revised edition of Penetration Testing: A Hands-On Introduction to Hacking — or if you’d like to lend your support to the publication of the new book — please visit the author’s Patreon page.