Penetration Testing Protection for the Keys to Your Kingdom

The owner of the shopping mall was shocked: an intruder had taken control of the building management system. The infiltrator was able to gain access to security cameras and disable the alarm system, as well as freeze the elevators and disable card keys.

Fortunately, this was a simulated cyber attack, not the real thing. But if the security vulnerability had not been identified and subsequently mitigated, it easily could have happened in real life.

Such nightmare scenarios are why penetration testing should be an integral part of security planning for every real estate and construction company.

The Weakest Link

Penetration testing, also known as pen testing, involves conducting authorized, simulated cyber attacks on computer systems, networks, web applications, hosts and / or Internet of Things (IoT) devices. The goal is to discover and remediate vulnerabilities before a real attacker does.

Many organizations believe they have sufficient security provided by their in-house or outsourced IT team; but when was the last time those systems were actually tested? When participating in pen testing for the first time, many are surprised to learn their enterprise systems have numerous areas of exposure. Unsupported operating systems and software, third-party applications that are not regularly updated, insecure network protocols, unpatched systems, default credentials — these are just a few of the issues security professionals frequently find that can seriously undermine an organization's security.

In the real estate and construction environment, many companies don't have dedicated departments managing all their technology infrastructure. More often, they outsource certain activities to third-party service providers. The inherent weakness in this strategy is when there is no single party actively overseeing the security of equipment, systems and software, other elements can be overlooked, leading to inconsistencies and gaps.

Test Your System’s Strengths

If you haven't undertaken penetration testing, this can be invaluable confirmation of what you're doing right, while also uncovering potentially serious problems. Pen testing provides peace of mind — confirmation defences are working as intended and sensitive information and building access are secure. It also helps to ensure you will not experience in real life what the shopping mall experienced in a simulated scenario.

Pen testing is best conducted by trained, experienced security consultants. They can deliver, in a documented report, objective findings and recommendations your team can use to remediate any serious issues.

To give you an idea of what would be involved, the following is a general approach to conducting a successful pen test.

More Than an Assessment

First, it's important to distinguish this process from a vulnerability assessment. The latter identifies and prioritizes vulnerabilities. A penetration test takes an assessment a step further by seeking out and attempting to exploit vulnerabilities in order to evaluate the ease of circumventing or defeating security features — before a serious breach can occur.

Security professionals will start by identifying your company's goals and priorities for the testing, which will help to determine whether the approach will be "white box" or "black box."

Going in Blind

Black box is sometimes referred to as "blind testing" because testers receive little or no information from the client. Simulating a realistic attack scenario, black box testing can also evaluate your organization’s internal reaction — how your controls and people respond to a breach. With that being said, black box testing is limited in that some areas of security may not be analyzed.

Insider Knowledge

White box testing is sometimes referred to as "full disclosure" because testers are provided with information about the structure and design of the network and systems. While this approach does not reflect a typical cyber attack in the same way as black box testing, it extends the scope into areas such as quality of code and design of applications. The white box approach can also examine risks presented by employees or others with internal access to networks.

Since each approach has specific advantages and disadvantages, the choice will depend upon your objectives and expectations.

Infiltration and Remediation

Once they receive the green light, testers will attempt to gain a foothold in the infrastructure. When successful, they will "pivot," that is, attempt to penetrate further to gain access to related systems. In one recent case, testers were able to infiltrate a real estate management company, first by breaking through the external perimeter - compromising from the internet either via a web app or network based vulnerability - and securing internal domain administration access. These "keys to the kingdom" essentially yielded complete control of the building's alarm, water and HVAC systems.

In another instance, testers accessed confidential data, including architectural drawings and other sensitive information. If this had been a real-life situation, cyber criminals could have modified those drawings. Imagine the potential impact if a construction project started off with flawed blueprints.

Throughout the pen testing process, security consultants gather evidence and take screen shots, integrating these into a report for senior management. This report details testing outcomes including descriptions of verified vulnerabilities, their root causes, likelihood of a breach and potential impact. It also includes recommendations for reducing or eliminating high-risk vulnerabilities. You and your technical team can use this roadmap to prioritize remediation steps.

Once an organization has undertaken remediation efforts, the consultants can retest to validate results. As needed, they can also provide guidance to further bolster cyber defences, known as "security posture."

Regular pen testing, whereby different areas of infrastructure are tested on a routine basis, can help to maintain the security integrity of your company. At a minimum, it is prudent to conduct testing when there are any significant changes to the external or internal business environment. Ultimately, this will continue strengthening security and provide peace of mind for the management team, knowing the keys to your kingdom are well protected.

Eugene Ng, CISSP, is the Cyber Security Leader, Eastern Canada for MNP. Contact Eugene at 905.607.9777 or [email protected].

This is the third in a series of articles featuring MNP perspectives on cyber security for Canada's real estate and construction companies. Future articles will review essential components of a strong security posture, including maturity and threat analyses, managed services and cyber breach incident response planning.