Research Assessment #5

Date: ​October 18, 2019

Subject: ​Information and Network Security Assessment and Training

MLA Citation: ​“Information and Network Security Assessment and Testing.” ​Online Masters
Degree in Cybersecurity​,
https://www.cybersecuritymastersdegree.org/assessment-and-penetration-testing/.

Analysis:
The article begins by introducing an example of penetration testing. It explains how the business
itself hires cybersecurity experts to complete the roles of a traditional hacker. In this role, the
cybersecurity experts proceed to disrupt the firm’s network to the greatest extent they can.
Penetration testing has become a common practice for firms, as it has become one of the most
reliable ways to expose weaknesses in their security without consequences. The article proceeds
to split assessments of cybersecurity into two categories: risk and vulnerability assessments. Risk
assessment, in its most basic form, is determined by multiplying the probability of loss and
likelihood of that loss occurring. Vulnerability assessment evaluates the specific risks in the
system. The article explains how risk assessment is evaluated through different frameworks, like
those created by the National Institutes of Science and Technology. Cybersecurity engineers use
frameworks to coordinate the work of both security engineers and key executives to ultimately
establish the risk of compromise for an issue. Vulnerability assessment, on the other hand, is
done through penetration testing. The article states how penetration testers have used social
engineering, automated scanners, and password cracking tools in order to expose the firm’s flaw
in network security. The article concludes by emphasizing the importance of penetration testing
in the evolving field of cybersecurity, as this method can solve almost any issue.

The most important idea from this article was the importance of penetration testing in
vulnerability assessment. Even though penetration testing is done in a prohibited area of the
network (to ensure the company functionality isn’t affected during this testing), it is extremely
effective in exposing the weaknesses of the firm’s network, especially when done randomly.
When this test is done randomly, there is a greater likelihood of finding flaws, which is the
ultimate goal of penetration testing. There are two implementers of penetration testing: engineers
and software. Engineers are the more common implementers today, primarily because current
software is incapable of recognizing unknown flaws. In other words, if a complex issue resides
within the firm’s network, software alone will be ineffective in accurately identifying the issue,
making it inferior to engineers.
Another important concept mentioned in this article is the idea that cloud-based systems are
actually more secure than physical network topologies. This is quite an important distinction, as
cloud-based services like Amazon Web Services connect the different branches of the
companies. As technology has continued to evolve, cloud-based services have become the most
effective means of data communication between branches, as not only is it more cost-effective,
but it also more reliable, as the cloud-based services are managed by companies who take the
blame if their services don’t work. Hence, cloud-based services offer more financial security
compared to a physical network topology. Additionally, the difference in security between
cloud-based services and physical network topologies is another reason for why companies are
transitioning to cloud-based services.

Analyzing the fluency of this article, I believe this article was a perfect choice for this week’s
research assessment. Alongside being understandable based on my knowledge of Cybersecurity
and Computer networking, the information in this article is relevant to my interviewing process,
as one of the professionals I am scheduling an interview with is a full-time penetration tester.
Hence, analyzing this article was a wise choice, as it has prepared me well for that interview.
Secondly, this article was very succinct. It defined terms and directly proceeded to explain the
impact of these terms on the field of cybersecurity as a whole. This made it easy to understand
the main ideas of the article. Looking forwards to the next research assessment, I need to
continue finding articles that have the same clarity as this one. However, I need to be sure to
continue finding articles that advance my understanding of cybersecurity, rather than just repeat
the same information in different forms. This might require a more thorough search for articles,
potentially in databases rather than just through search engines.

Article:
Information and Network Security Assessment and Testing
The hacker gained access to the Fortune 500 financial services firm through an old,
half-forgotten Siemens-Rolm PBX (Private Branch Exchange) telephony management system.
System administrators at the company had diligently changed the administrative account
password, but they either had forgotten or never knew about the factory-installed field technician
account on the machine. That password was still set to the default value, just as it was on
millions of other similar machines around the world.

The PBX was connected to the firm’s voicemail system, but not to the much more sensitive
critical financial management and human resources systems. Those systems were still safe,
locked behind a Checkpoint firewall and only accessible via secure two-factor authentication
systems, closely monitored, and with the latest security patches installed.
The hacker was smart and patient, though. He found the voicemail box for the IT helpdesk,
cloned it to a number that only he could check. Waited. Listened.

A user called in one day, having trouble getting in on his VPN (Virtual Private Network)
account. The hacker acted quickly. He deleted the message from the legitimate IT helpdesk
voicemail, called the user back himself, and easily got the password and one-time authentication
token off him. The hacker then helped the user fix his problem, to allay any suspicions the guy
might have had.

By that point, the hacker had already logged in on the user’s account himself and was screaming
through the internal network, ​owning server after server, the keys to the kingdom in his hands.
This illustrates how effective penetration testing can be, as it exposed an issue that could have
given a hacker access to the entire internal network.

Weeks later, the IT helpdesk manager got a thank-you letter from this user.​ The user praised the
tech that had helped him with his VPN problem a couple weeks back, describing him as polite,
smart and fast. ​Penetration testing also tests the user, to see if they are able to recognize the fake
hacker; they were unable.

The only problem was, the helpdesk manager had never heard of this tech. Didn’t have anyone
working there by that name. Fortunately, the CIO (Chief Information Officer) knew exactly who
it was. The “hacker” was a penetration tester hired by the firm to find and exploit any
vulnerabilities in their systems… before the real hackers could do so.

Penetration testing may be the most visible component of what network security auditors do, but
the reality is that all cybersecurity professionals engage in near-constant cycles of assessment
and testing. This makes learning to assess risk and defend against it a critically important part of
any cybersecurity degree program.

Weighing the Risks in Modern Information Systems

Cybersecurity assessments fall into two broad categories:

● Risk assessments
● Vulnerability assessments

Risk is a word with a very specific meaning within the realm of information security and is often
misunderstood outside the field. ​Risk is the probability of a loss multiplied by the likelihood of
that loss occurring. ​Extremely important definition when accessing danger of attack. ​But
perceptions of risk are frequently colored by fear, anxiety, and uncertainty, causing possibilities
and consequences to be over- or under-valued based on factors like media coverage or an
individual’s emotion.

Cloud-based systems, for example, are consistently perceived as being less secure than
on-premises systems, although most of the ​statistics available prove otherwise​. Still, most people
tend to intuitively feel that data behind a locked door is safe as long as they themselves hold the
key, even if that’s not effectively the case.

Because these inconsequential factors can make it difficult for even cybersecurity experts to
accurately assess risk, the National Institutes of Science and Technology (NIST) ​have developed
a cybersecurity framework​ that can be used to evaluate risks to critical infrastructure and,
provide industry-standard policy and procedural mitigations. ​Cybersecurity analysts use such
frameworks to work closely with both security engineers and key executives to evaluate potential
targets inside the corporate information system and establish the risk of compromise.
Frameworks is a topic I am not familiar with, potential research assessment topic

In addition to the relatively straightforward factors of costs from lost productivity and incident
response from potential breaches, security analysts might also have to account for more esoteric
factors such as loss of customer confidence and potential shareholder lawsuits. In the wake of a
2014 theft of customer information, ​Target Corporation paid out almost $120 million in legal
settlements​ in addition to internal recovery costs. If the risks of compromise had been adequately
evaluated prior to that theft, the company could have invested more than $100 million in security
measures and still come out far ahead in the end.

A risk assessment, then, points to the systems in which vulnerabilities might be more or less
catastrophic if exploited. This allows the cybersecurity auditor to focus resources where they will
be most useful in uncovering vulnerabilities.

Isolating the Weak Points Through Penetration Testing

Vulnerability assessments, or audits, evaluate what specific risks exist in the current system
structure.

Regular audits are a good practice for any information security team but in certain industries,
they may be mandated and/or conducted by regulatory agencies. HIPAA, the Health Insurance
Portability and Accountability Act, for instance, ​maintains strict audit standards for healthcare
providers and insurers​. And the Security and Exchange Commission’s audits of financial service
providers now includes a Cybersecurity Examination Initiative that looks at information security
practices.

The sharpest tool in the vulnerability assessment toolbox is the penetration test, or “pen test.”
Penetration testing involves cybersecurity teams (called “tiger teams”) taking on the role of
black-hat hackers and attempting to gain access to data or resources through actions that would
otherwise be illicit. Penetration testers have used:

● Social-engineering
● Automated scanners
● Password cracking tools
● Other common black-hat exploitation tools

Penetration testing parameters are set by the entity requesting the tests, so exploits that would
result in the disruption of services or destruction of data would be prohibited. However, in every
other respect pen-testers use the same devious bag of tricks that legitimate cybercriminals might
use. The goal is to find all of the vulnerabilities that attackers could potentially exploit.

Automating Penetration Testing

While pen testing can be dramatic, in practice it is more a random snapshot of vulnerability than
a consistent, reproducible assessment mechanism. However, certain pen testing tools, such as the
Nessus scanner​, which can automatically scan a network for known vulnerabilities, ​can be run
regularly to catch any known configuration flaws and alert security engineers.​ ​Software can be
essentially do the busy work of security engineers, allowing them to focus on more important
issues.

Logs are another important tool used in network security auditing. ​Don’t fully understand logs
(specifically what network security auditing is), should definitely research. ​The nature of modern
cyberattacks is to leave few traces that would be detectable to the average user. But no activity
should escape the eyes of a properly configured logging system. Logs record every process,
every network request, and in some cases each packet that comes in across the wire. Although
modern intrusion detection systems can be programmed to block suspicious traffic, there is
always the potential for a new threat with signatures that haven’t been identified yet.

Log analysis software, such as ​Splunk​, can help detect even “undetectable” attacks by looking
for traffic that is simply out of the ordinary. Once every normal and accountable activity is
filtered out, expert systems or cybersecurity analysts can review logs for signs of illicit activity.

Whatever the methods used to determine risk and vulnerability, it’s a cybersecurity truism that
you don’t know what to defend against unless you know what you are defending… like an old,
half-forgotten PBX system with a default technician account in the back office.