FAQ
PTES is standard designed to provide both businesses and security service providers with a common understanding and framework for performing penetration testing.
Infrastructure penetration testing or vulnerability assessments can provide assurance that systems and security controls have been configured securely with best security practices in mind.
Assure that no common or publicly known vulnerabilities have been identified in your target scope.
If vulnerabilities are identified, they can be remediated before a malicious actor can take advantage of them.
Common vulnerability identification
Potentially avoidance of extra costs and reputation damage due to a breach via a well-known vulnerability.
Provide assurance of effective security controls to regulatory bodies
To assure customers and suppliers, proving you are taking measures to protect their data.
Provide insight into potential risks associated with your network
Provide critical input into your risk management programs
Assessments are priced based on the size of the relevant engagement, how many servers form the scope and any relevant complexities surrounding any scenario-driven requirements. Once requirements and drivers are understood a statement of works measured in days is produced.
The statement of works will describe the total working days required to fulfil the engagement, priced per person day.
Infrastructure assessment scoping is reasonably straight forward, generally, our experienced consultants can produce a statement works simply by using the number of systems in scope.
Generally, external infrastructure assessments or external penetration tests, look to identify security concerns within any publicly accessible server or service.
Laneden does not only look to identify known security vulnerabilities and exploit them. Our experienced engineers use open source information gathering techniques similar to those utilised by malicious actors, to identify as much information as possible on your organisation.
This information is then used to build real-life attack scenarios across vectors such as credential stuffing and password attacks. Giving you a real view of the risks associated with your public footprint.
Infrastructure penetration testing or vulnerability assessments can provide assurance that systems and security controls have been configured securely with best security practices in mind.
Provide assurance that no common or publicly known vulnerabilities are affecting your systems.
Help identify potential attacks vectors associated with any information you or your organisation may have publicly available.
If vulnerabilities are identified they can be remediated prior to a malicious actor taking advantage of them.
Common vulnerability identification and management
Potentially avoid extra costs and reputation damage due to a breach via a commonly known vulnerability
Helps identify security concerns before any malicious actors can abuse them
Provide evidence of compliance with regulatory bodies
To provide assurance to customers, suppliers and partners, proving you are taking measures to produce secure services and protect their data
Provide insight into potential risks associated with your network
Help identify publically available information that could be used to attack your organisation
Provide critical input into your risk management programs
Assessments are priced based on the size of the relevant engagement, how many servers form the scope and any relevant complexities surrounding any scenario-driven requirements. Once requirements and drivers are understood a statement of works measured in days is produced.
The statement of works will describe the total man-days required to fulfil the engagement, priced per man day.
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
The Open Web Application Security Project Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks associated with web applications.
Businesses are encouraged to adopt this document and start ensuring that their applications minimize these top 10 risks.
Using the OWASP Top 10 guidance is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
The document is comprised of 10 of the most prevalent concerns
Injection
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Broken Authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
XML External Entities (XXE)
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
Broken Access Control
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access to other users' accounts, view sensitive files, modify other users' data, change access rights, etc.
Security Misconfiguration
Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
Cross-Site Scripting (XSS)
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Insecure Deserialization
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts.
Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
Assessments are priced based on the size of the relevant engagement, understanding the drivers behind the assessment helps us build a statement of works that fits our client's requirements.
For instance, a brochure wear application with hardly any rich features is likely to take fewer man-days to complete than, say a feature-rich e-commerce application.
The statement of works will describe the total man-days required to fulfil the engagement, priced per man day.
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
The OWASP API Security Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks associated with API's.
Businesses are encouraged to adopt this document and start ensuring that their applications minimize these top 10 risks.
Using the OWASP API Security Top 10 guidance is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
The document is comprised of 10 of the most prevalent concerns
Broken Object Level Authorisation
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.
Broken User Authentication
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising system's ability to identify the client/user compromises API security overall.
Excessive Data Exposure
Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.
Lack of Resources & Rate Limiting
Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
Broken Function Level Authorization
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users' resources and/or administrative functions.
Mass Assignment
The binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
Security Misconfiguration
Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
Injection
Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Improper Assets Management
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.
Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
Assessment costs are priced based on the size of the particular API, to gain an understanding of the size of the engagement we can use parameters such as how many endpoints the API has and how many methods each endpoint has.
Our experienced consultants are then able to calculate the number of man-days it would take to complete the assessment and collate the findings into a concise simple report. Covering at very least the OWASP API Security Top 10.
The statement of works would be compiled describing the total man-days required to fulfil the engagement, priced per man day.
Conducting regular penetration tests is a component of a number of standards and compliance frameworks such as PCIDSS, GDPR, DPA and ISO 27001.
Security assessments can help a business understand the risks associated with their systems and how they process/store customer data.
They can help potentially avoid additional costs and reputation damage due to a breach. Providing evidence to compliance or regulatory bodies and provide assurance to customers and partners.
More and more people are aware of cybersecurity and the risks imposed by them, they want more now than ever to trust businesses are protecting them and their data by following good security practices.
Common vulnerability identification and management
Potentially avoid extra costs and reputation damage due to a breach via a commonly known vulnerability
Provide evidence of compliance with regulatory bodies
To provide assurance to customers and partners, proving you are taking measures to protect their data
Provide insight into potential risks associated with your applications
Provide critical input into your risk management programs
IoT put simply, is all things connected to the internet.
Yes, we know our phones and computers are on the internet we have got used to the idea and it makes sense to us.
IoT is looking to get everything on the internet to collect and share data. Your fridge, your wearable devices, your TV, your toaster, your backpack, your kettle, your dishwasher, yes even your baby monitor. The list goes on and on, the idea is to collect data and share it creating better efficiencies and better products in the future.
The idea is a great one and has benefits, the problems start to arise when cybersecurity is not taken into account. These systems tend to use API's and the API's have not gone through any security testing regime. Meaning malicious actors are potentially able to abuse these devices, using them as access points into your personal home or business networks.
Software as a Service, or SaaS, is a cloud-based service where instead of downloading software to your computer and installing it, having to update it constantly. You instead access an application via your browser, the software could be anything from the likes of office applications to unified communications among a wide range of other business solutions that are available.
This model offers a variety of advantages but also has its disadvantages. Key advantages of SaaS include accessibility, operational management and compatibility. Additionally, SaaS models tend to offer lower upfront costs than traditional software download and install solutions, making them more available to a wider range of businesses, and easier for smaller business to compete and disrupt existing markets while empowering suppliers.
A vulnerability assessment is an automated scan that systematically inspects all hosts and services. This assessment looks to identify known vulnerabilities across its given scan range. A skilled engineer confirms the findings and collates the results in a concise report.
A penetration test is rather different; the skilled engineer leading the engagement needs to have a breadth of knowledge and experience in information technology and its systems. They require the ability to think abstractly, to solve problems effectively and, to anticipate the behaviour of a threat actor.
Constantly looking for a way to manipulate bad security practices and business processes. They actively look to exploit systems and processes in an attempt to exfiltrate data or compromise your business systems.
They then require the abilities to concisely convey their exploitation of your systems and processes simply and effectively. Not only explaining their process for exploitation but also the means to remediate the risks they have identified. Allowing the client to fill their security gaps quickly before any malicious exploitation can be carried out.
A vulnerability management program is a framework for managing an organisations risk associated with their threat landscape and security posture. This is achieved through processes and procedures that allow the effective identification, classification, confirmation and, remediation of security concerns.
Identification
The way the organisation is going to identify and track known vulnerabilities and changes to their threat landscape.
Classification
Understanding and classify findings with a risk-based score, explaining the true risk to the organisation allows effective prioritisation and triage of any findings.
Confirmation
Testing and confirming mitigation of any remedial tasks allows the business to understand any associated risks with the identified corrective actions. Will the recommended remediation effect any BAU (business as usual) processes, causing downtime? Does the recommended remediation resolve the identified risk or, will you be applying hundreds of changes across your network for no reason wasting money and most importantly time?
Remediation
Once confirmation is achieved, accurate remediation can be carried out with little risk to the organisation.
Vulnerability assessment costs are based on the number of systems in scope. Generally speaking, a vulnerability assessment and reporting of the findings takes 2 to 3-man days to complete.
Please feel free to contact the Laneden team and have a no-obligation impartial discussion to get a better idea on the costs based on your specific requirements.
Article 5 of the GDPR sets out seven key principles that lie at the heart of the general data protection regime.
Article 5(1) requires that personal data shall be:
- The controller shall be responsible for and be able to demonstrate compliance with p
In 2018, the European Union enacted new legislation to protect its citizens' personal data, potentially affecting every organisation worldwide.
The Information Commissioners Office has suggested the following 12 steps in preparing for GDPR compliance.
For further details, please refer to the Information Commissioners Office website.
It would be best to make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
It would help if you documented what personal data you hold, where it came from, and who you share it with. You may need to organise an information audit.
You should review your current privacy notices and put a plan to make any necessary changes in time for GDPR implementation.
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
You should update your procedures and plan how you will handle requests within the new timescales, and provide any additional information.
You should identify the lawful basis for your processing activity in the GDPR, document it, and update your privacy notice to explain it.
You should review how you seek, record, and manage consent and whether you need to make any changes. Refresh existing consents now if they don't meet the GDPR standard.
It would be best if you started thinking now about whether you need to put systems in place to verify individuals' ages and to obtain parental or guardian consent for any data processing activity.
You should make sure you have the right procedures in place to detect, report, and investigate a personal data breach.
You should familiarise yourself now with the ICO's code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation's structure and governance arrangements. It would help if you considered whether you are required to designate a Data Protection Officer formally.
If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.
No, it is not a requirment to undergo a penetration test to be ISO27001 compliant.
A12.6.1 states that;
This means a simple vulnerability assessment, rather than a full penetration test would suffice in identifying known vulnerabilities. However, a full penetration test has benefits above and beyond that of a vulnerability assessment.
A penetration test can help prioritise concerns and give further insight into the risk, potentially showing what information could be compromised, how this information could be exfiltrated and how a cyber assailant could get a foothold into your systems or network.
Assessments are usually conducted once the scope of the ISMS, and its associated assets, have been identified. There are other stages that may benefit from security testing. These include, when identifying vulnerabilities as part of the risk assessment process or when ensuring that the controls put in place are effective.
The Domain Name System (DNS) can be thought of as an address or even as a phonebook lookup. As users of computer systems, we wouldn't want to try remembering that catchy web site IP address you saw on an ad. You want nice simple words, you enter 'google.com' into your browser, and it takes you to the web site you want. This is the handy DNS service translating that nice simple word (aka domain name) into an address for the computer to talk with.
A Domain Controller is a server on a Windows domain network. It hosts a database of network accounts and presents this to the network for authentication purposes and can host various other services associated with Active Directory.
Active Directory's built-in groups such as Domain Users, Domain Computers and Domain Admins, define the users and systems that can authenticate to the domain as either a domain administrator, general user or computer system. A domain controller is the authenticator of these requests.
The domain controller defines various policies to control security settings, and general administrative functions across systems joined to the domain.
Typically, a domain (this encompasses all systems registered to or authenticated with the domain) hosts multiple domain controllers.
Any changes made on any particular domain controller would put its configuration out of sync of all other domain controllers on the network. To overcome this challenge, replication services update each trusted domain controller on the network.
A firewall is a network security device that acts as the gatekeeper between networks, such as those of your internal network and the internet.
Allowing traffic to flow through it based on a set of security rules and configurations. These gateways are all that lie between malicious actors, hackers, malware, viruses, and your internal network.
To put it bluntly, yes you really should care about your firewalls and audit them regularly.
These security devices are the barrier between your organisation, your data, your customer's data and hackers, malware, viruses, and the cacophony of other malicious actors on the internet.
These devices undergo regular changes in most businesses, and their rule sets can quickly become outdated and open to abuse. Temporary rules opening up systems become permanent changes and forgotten about.
With more and more vulnerabilities being identified daily services, protocols, and configurations can quickly become outdated and susceptible to known attack vectors.
It is recommended that firewalls are audited at least twice yearly with PCI-DSS (v3) requirement 1.1.7 stating that organisations should "review firewall and router rule sets at least every six months."
VMware describe a virtualisation platform as;
".. many IT organizations must deploy multiple servers, each operating at a fraction of their capacity, to keep pace with today's high storage and processing demands. The result: huge inefficiencies and excessive operating costs."
"Virtualization relies on software to simulate hardware functionality and create a virtual computer system. This enables IT organizations to run more than one virtual system - and multiple operating systems and applications - on a single server. The resulting benefits include economies of scale and greater efficiency."
Phishing emails are generally sent to a large number of individuals simultaneously in an attempt to either make monetary gains or gather or "fish" sensitive information such as credentials, personally identifiable information and payment details. The cybercriminals tend to pose as a reputable source such as a supplier, colleague or some other trusted third party.
The emails often come fully loaded with legitimate-looking logos, signatures and contact details. Common examples of monetary gain emails seemingly come from banks, payment service providers such as PayPal, couriers such as DHL, Royal Mail, DPD etc., credit card providers, eBay and CEO Fraud.
CEO Fraud is a scam in which cybercriminals spoof or take control of corporate email accounts and impersonate executives to try and fool unsuspecting employees into making payments or sending other confidential information to the attackers.
According to Action Fraud, the largest payment made to fraudsters was £18.5 million; however, the average loss is £35,000. Out of the £32 million reported losses since 2015, only a total of £1 million has been successfully recovered.
Spear phishing attempts tend to be far more focused phishing emails and only go to a single individual or at most, a handful of individuals. In these instances, the cybercriminal is likely looking to gain specific information, potentially information to aid in further attacks. Cybercriminals have all the time in the world to gather data on your organisation, and the publicly available information can be very useful to attackers.
Whaling as it is known, tends to be a more specific spear phishing attempt. These attacks are generally on the likes of corporate executives such as the CEO, CTO or CMO. These attacks are usually undertaken for monetary gains however they could very well be attempts to gain other sensitive information.
Identifying phishing attempts can be achieved with reasonable ease, it just takes some know-how and practice. The processes of reporting the threat to your organisation and employees requires foresight and planning. An efficient structured approach to dealing with these threats is somewhat of a requirement or all your efforts would have been in vain. DOES THE COMPOSED EMAIL SEEM AT ALL ODD FROM THIS PARTICULAR PERSON?
Consider the following high level questions when reading your emails.
Does the email seem out of place for any reason at all, is it being sent at a peculiar time, or are there obvious grammatical mistakes? These should raise red flags, if you are at all in any doubt. Contact the person out of band, If you received an email contact them via their phone number (if you have a record of one) never reply to the email received or use any contact details given in the email.
IS THE SENDER EXPECTING ANY ACTION ON YOUR PART?
If the sender is expecting a payment to be made or for specific links to be followed you should confirm the links by hovering over them and comparing the URL and link text visually. Do they match exactly? Any mismatch could be an attempt at deception all link should have their status checked via free services such as VirusTotal. Any positive malicious results should raise alarm.
DO YOU RECOGNISE THE DOMAIN NAME OF THE SENDER'S EMAIL ADDRESS (read it carefully)?
Look up the domain name via services such as DomainTools. This will show you the Registrar details, do they match your expectations of the sender address? Is it a newly registered domain? The colleague that sent you the email works with you and uses the same mail provider, so this should match your own domain look up, compare them.
The weakest link in the majority of organisations is, unfortunately, their employees. They can, however, become the strongest tool in your arsenals at defending against these fraudsters. Defending against phishing type attacks is achieved in layers, the most effective measure in the layered approach, is education. It is paramount that employees are taught to understand social engineering vectors such as phishing and what to look out for in communications. Your organisation should have a process for verifying the legitimacy of requests and reporting potential fraudulent ones. Defence In Layers
Employee education around CEO Fraud, phishing and other social engineering vectors
Defined process for authenticating requests and reporting potential phishing attempts
Multifactor authentication on any publicly accessible portals (such as email)
Ensure computer systems are secure and regularly patched
Understand what information is publicly available concerning your organisation
A competent antivirus solution should be installed on all corporate systems
Understand what information is publicly available in relation to your organisation
A competent antivirus solution should be installed on all corporate systems
A "Social Engineer" is a person that uses psychological manipulation to gain an advantage, to trick people into making decisions that work in their favour.
Social Engineering is the practice of these techniques, most notably using vectors such as phishing, remote telephone attacks and physical access.
Social Engineering is a broad term and can come in many forms.
From an email from your CEO asking for quick action on a payment to a phone call to your IT helpdesk from a user troubled with login issues, to someone physically standing in your reception proclaiming to be an IT contractor attempting to gain access into restricted areas such as server rooms or someone's computer system.
The most common forms are emails and phone calls—these alone cost businesses millions of pounds each year in losses, brand damage, fines and working hours.
Emails tend to be from a sender that you would seem to recognise or as a credible request.
They tend to contain either instruction to carry out a task or some other action, along with a time concentrate such as urgently needing to send a payment or login to a portal using a link provided in the email.
Phone calls in many cases are to a helpdesk or service desk someone that is used to helping callers, with the guise of a particular staff member looking to get a network account password reset. In an attempt to gain access to your corporate network.
It all sounds very damming; however, it is not the end of the world, just yet.
Employees given the right guidance can learn to recognise cues and traits, seeing through most manipulation attempts. The best defence against social engineering attacks is the very people they target.
If we can teach our employees what to look for, they can see through the facade and raise the alarm bells to a potential attack. Halting it in its tracks before it turns into a breach, brand damage and potential regulatory fines.
Purple teaming is an approach whereby both the red and blue teams work closely together to maximise cyber defence and attack knowledge. Bringing a new level of understanding and in turn enhancing your defence capabilities through knowledge transfer.
Context is king if you are authenticating devices to your network using a PSK, and that PSK is a large complex string of random characters which is cycled often. Then yes, it is very likely that your key is pretty secure.
If your PSK is derived from a common word and it never changes, then not so much. If you are using an off-host authentication mechanism such as RADIUS, then it is unlikely that your key could be captured during the 4-way handshake process for offline attacks. However, that doesn't mean you can't directly attack the key via brute force login mechanisms.
WEP is inherently flawed, and it is common for WEP networks to be breached in mear minutes. So yes, it is pretty terrible and should never be used.
WPA3 made an appearance in 2018 when the Wi-Fi Alliance announced its release. This new protocol boasting security fixes that plagued its' predecessor WPA2, with its four-way handshake shortcomings and the use of a PSK (Pre-share key).
Although WPA3 has improved with regards to security, its uptake has been quite slow due to WPA2-Enterprise which utilises 802.1X authentication avoids the use of a PSK and offers most it seems, enough security to fulfil their requirements.
We would suggest if security is a priority for you, deploy WPA3-Enterprise.
Can't find your answer?
Send us your question using the form below and we'll get back to you with an answer as soon as we can