What Role does Penetration Testing Play in Preventing Unauthorised Access?

Types of Unauthorised Attacks

Unauthorised access can occur in a number of ways.  One common type is a brute force attack, where all possible combinations of characters or values are attempted to guess a valid password, encryption key, or any other secret protecting access to an asset.  The goal of a brute force attack in the broadest sense is to systematically and exhaustively try every possible input until the correct one is found* and unauthorised access can be achieved.  Vulnerabilities within software, networks, or applications can be exploited, as can security weaknesses such as software glitches, misconfigurations, or inadequate security controls.  Unauthorised access can also take place following social engineering practices, where individuals have been psychologically manipulated into divulging confidential information or performing actions.  Tactics employed as part of social engineering attacks include phishing, vishing and tailgating.

Phishing can be defined as a fraudulent email containing links to a fake website or malicious attachments which tricks users into divulging confidential information without realising they are interacting with a malicious source or executing malicious software.

Vishing, which stands for Voice Phishing, is an attack that uses phone calls to trick users into disclosing sensitive information or perform certain actions.  An attacker might pose as a manager/director, or someone in a position of authority, and ask to grant access to the company’s building to a specific individual.  Attackers can now leverage the widespread availability of AI technologies to increase the sophistication of these types of attacks, for example with real time voice manipulation tools.

Tailgating, also known as piggybacking, is a form of physical social engineering attack that involves the attacker gaining unauthorised physical access to restricted areas by following an authorised person.

*Whilst ‘systematically and exhaustively trying every possible input’ is technically the correct definition of brute forcing, in practice attempting to guess a password utilising a smaller, finite set of passwords from a wordlist (which can still contain millions of words) is also commonly referred to as brute forcing.

Not just external threats

It’s important to note that unauthorised accesses are not just external in nature.  Insider threats are a significant concern in the cyber security world.  These threats occur when individuals who have authorised access to an organisation's systems, networks, or data misuse their privileges for malicious purposes or inadvertently cause security breaches.  Insider threats can emanate from employees, contractors, vendors, or any individual with internal access to an organisation's resources.  There are 3 general scenarios:

Infiltrated Insider Threats: In this case, an external attacker manages to compromise an insider's account or might use blackmail, bribery, or other tactics to manipulate an individual into helping them gain access to systems or data that they wouldn't normally have.

Malicious Insider Threats: This scenario involves an individual with authorised access deliberately misusing their privileges to steal sensitive data, commit fraud, sabotage systems, or engage in other harmful activities.

Negligent Insider Threats: This type of insider threat occurs when an authorised individual accidentally compromises security due to lack of awareness (e.g., posting private information in a public help forum), carelessness or poor security practices (e.g., sharing sensitive files without encryption).

‍

Holistic Approach Required to Mitigate Risks

Mitigating unauthorised access necessitates a comprehensive and holistic approach.  Organisations can use a combination of technical and non-technical controls in mitigating the risks from unauthorised access to organisation’s systems and resources

Technical measures

Here are multiple technical measures an organisation can adopt to prevent unauthorised access to their systems and resources.

Network Security Measures:  network segmentation, firewalls, intrusion detection and protection systems (IDS/IPS), are measures that help reduce the impact of unauthorised access by reducing the ability of attackers to move from one system to another.

Authentication and Access Management: Authentication and access control ensure that users are who they claim to be before granting the minimum required access to systems. This includes tools such as:

• Multi-Factor Authentication (MFA): Requires users to provide multiple forms of verification (password, biometric, token, etc.).
• Single Sign-On (SSO): Enables users to access multiple applications with a single set of credentials, reducing the number of attack vectors.
• Identity and Access Management (IAM): Manages user identities and permissions, ensuring users have appropriate access based on their roles.

Encryption: Encryption is critical in protecting sensitive data by converting it into a format that can only be read with a decryption key. Even if an attacker gains access to encrypted data, they won’t be able to decipher it without the proper key.

Endpoint Security: Endpoint security tools protect individual devices (endpoints) such as computers, smartphones, and tablets from various threats.  These tools include: anti-virus/anti-malware software, host intrusion prevention systems (HIPS) and endpoint detection and response (EDR) which provides real-time monitoring, detection, and response capabilities to protect against advanced threats.

Patch management: Keeping all software, operating systems, and firmware up to date with the latest security patches reduces the risk of known vulnerabilities being exploited by threat actors to gain unauthorized access to systems and data.

Physical security measures: physical access control systems, intrusion detection systems, video surveillance systems all help reduce the risk of unauthorised physical access.

Logging and monitoring: Logging, monitoring and alerting systems allow organisations to identify unauthorised access happening and to respond to incidents sooner, allowing them to minimise the impact of unauthorised access.  They also help organisations investigate an incident and to understand how it was possible for the incident to happen and apply mitigating controls to reduce the risk of the unauthorised access to happen in the same way.

Non-technical measures

It's important to note that while the above technical measures are essential, a holistic approach to cybersecurity and preventing unauthorised access involves not only technology but also administrative or organisational measures.  Here are 5 non-technical measures to include as part of your security portfolio:

Security Policies and Procedures: Clear and comprehensive security policies and processes are critical in instructing staff on topics such as handling sensitive data, access systems, password management, data classification, remote work security, and incident response.

User Training and Awareness: Having developed policies and procedures, it is essential to educate employees on best practices and topics such as the importance of strong passwords, recognising phishing attacks and report suspicious activities.

Access Control and Privilege Management: Organisations are recommended to implement and continually review a principle of least privilege, where users are given the minimum level of access necessary to perform their tasks.

Incident Response Plan: Incident response planning contains specific directions for specific attack scenarios.  Swift identification of unauthorised access attempts equips organisations to promptly intervene, thwarting additional harm and bolstering the security of compromised accounts or systems,.

Employee Onboarding and Offboarding Procedures: Employee onboarding and employee offboarding are critical processes in the granting and revoking access to systems and data when employees join or leave the organisation.

Effective cybersecurity involves a combination of technical and non-technical measures. By combining both aspects, organisations can create a strong defence against unauthorised access, data breaches, and other security risks. But, what role can penetration testing play in preventing unauthorised access?

‍

Role That Penetration Testing Can Play in Preventing Unauthorised Access

At a general level, penetration testing assumes a pivotal role in proactively averting unauthorised access by identifying and rectifying potential security vulnerabilities susceptible to exploitation by malicious actors.  Its contributions in this regard are comprehensive.

Firstly, by simulating real-world attack scenarios, penetration testing uncovers system, network, and application weaknesses, allowing your organisation to promptly address vulnerabilities before unauthorised entities are able to capitalise on them.

Secondly, the penetration testing of access controls, authentication mechanisms, and user permissions ensures that only authorised individuals can access specific resources and data, reducing the risk of unauthorised entry.  The validation of authentication mechanisms, such as passwords, multi-factor authentication (MFA), or biometrics, safeguards that solely legitimate users can access sensitive data and resources.

Web applications are often targets for unauthorised access and can be scrutinised by penetration tests to unveil web application vulnerabilities like cross-site scripting (XSS), SQL injection, broken access controls, and session management issues, which could potentially be exploited.

Penetration testing also extends its reach to tackle insider threats, assessing defences against unauthorised internal access by evaluating user access rights, data segregation, and monitoring systems.

Furthermore, network security undergoes thorough evaluation, encompassing wired and wireless network infrastructures, firewall and wireless access point configurations, and network segmentation testing to pre-empt unauthorised access to private networks and data.  The assessment horizon also extends to third-party vendors and partners, who may access your organisation's systems or data, mitigating the risk of unauthorised entry through third-party connections.

Incident response validation, facilitated through variations of penetration testing exercises like red or purple team exercises, enables your organisation to test your ability to detect, respond to, and mitigate unauthorised access attempts effectively.  Moreover, penetration testing aligns with compliance and regulatory requirements, frequently mandated by industry regulations and standards to stave off unauthorised access.  Regular penetration tests can provide evidence of your organisation’s commitment to data protection.

Lastly, penetration testing can enhance security awareness through simulated unauthorised access attempts targeting your employees.  Social engineering attacks serve as a valuable educational tool, heightening your employees' awareness and understanding of potential threats and the importance of adhering to security best practices.

Different types of penetration test

Here are a number of different penetration tests which URM regularly conducts to help organisations identify potential vectors for unauthorised access and thereby empowering them to fortify their security measures.  

• External infrastructure penetration tests
• Wireless networks penetration tests
• Web applications penetration tests
• Physical social engineering
• Simulated phishing exercises

For each of these tests, URM shares its experiences on the benefits that pen testing can bring in terms of identifying security weaknesses.

External infrastructure penetration tests:

In the realm of external infrastructure penetration tests, URM has come across numerous instances where credentials for the client domain were exposed through public data leaks. This unfortunate exposure granted access to sensitive corporate resources. Furthermore, certain unnecessary or unexpected services and data were inadvertently exposed to the internet, potentially compromising the security of the organisation and its clients. The vulnerabilities were exacerbated by weak protection against brute force attacks, lacking elements such as multi-factor authentication (MFA) or rate limiting, thus potentially facilitating unauthorised system access.

Wireless networks penetration tests

URM has found wireless network penetration tests can reveal vulnerabilities such as weak protection for corporate Wi-Fi, susceptible to attacks due to insufficient pre-shared keys (PSK).  Similarly, corporate wireless access points have been found to be vulnerable to WPS brute-force attacks, providing unauthorised entrants with access to the organisation's corporate network. Additionally, inadequate segregation between guest and corporate Wi-Fi networks risks granting unauthorised users access to critical corporate resources.

Web application penetration tests

Web application penetration tests are key to helping organisations highlight weaknesses like cross-site scripting (XSS), SQL injection and broken access controls.  These flaws grant users unauthorised access to sensitive data or escalated privileges, potentially leading to unauthorised data and functionality access.  A lack of segregation between testing and production environments can further compound the issue, potentially enabling developers to access critical client data.  Enumeration of valid usernames or email addresses emerge as a potential avenue for threat actors to target specific users for brute force or social engineering attacks, compromising application security.  URM often finds weak password policies, insufficient MFA and weak authorisation controls raise the likelihood of unauthorised access to applications and data.

Physical social engineering  

Physical social engineering assessments can be instrumental in detecting weak physical access controls, both at perimeters and within internal spaces with varying security needs.  These deficiencies enable threat actors to physically breach buildings, networks, assets, and data. Additionally, inadequate security awareness and protocols leave employees vulnerable to unauthorised access by threat actors within office premises.  URM has conducted numerous physical assessments and constantly finds physical security to represent an ‘Achilles heel’ for many organisations

Simulated phishing exercises

Simulated phishing exercises can reveal a lack of security awareness among users. This deficiency enables threat actors to trick users into clicking malicious links, potentially compromising their workstations and other private resources.

By acknowledging and addressing these potential vectors for unauthorised access, URM's clients succeeded in significantly reducing the risk of unauthorised access to their organisational resources. This proactive approach, coupled with URM's recommendations, has bolstered their security posture and safeguarded against potential breaches.

‍

Summary

Unauthorised access poses a significant threat to individuals and organisations, and it is essential organisations implement robust security measures such as MFA, conduct regular security assessments, and maintain a vigilant and proactive cybersecurity posture to prevent and mitigate its potential consequences.  Penetration testing can play a comprehensive and key role in proactively restricting and averting unauthorised access by identifying and rectifying potential security vulnerabilities susceptible to exploitation by threat actors.

Why URM for penetration testing?  

1. CREST Accredited. You can be reassured that URM is a CREST-accredited organisation for Penetration Testing, and one of the first organisations to be accredited to the CREST OVS Programme, which demonstrates advanced capabilities in the web and mobile application penetration testing.  
2. Continuous Feedback. URM’s team of testers provides support through the scoping phase, regular updates during the testing, a debrief meeting and comprehensive report at the end of the assessment.
3. 30 Day Retest. You will receive a free retest of any high or critical vulnerabilities identified during an assessment in the first 30 days after report has been produced.
4. Holistic Approach. To augment its cyber testing services, URM provides extensive range of GRC services including penetration testing services, network penetration testing services, development of policy, process and training solutions to address your security weaknesses.
5. Tailored to Your Needs. Whether you need all-encompassing testing of your systems or a time-limited assessment within a defined timeline or budget, URM can assist by providing an assessment tailored to your organisation’s needs.