de | English
IT Security Mar 11, 2020

Critical vulnerabilities that your Vulnerability Scanner isn’t telling you about.

Feeling safe because your vulnerability scanner has given you the all-clear? Got your system all compliant and successfully passed all audits? You should still be wary. Automated tools and certificates are important, but have their limits. Attackers use gateways that vulnerability scanners don’t find. Penetration tests are the only way to get a complete picture of your security.

Share article

stephan-scholz.png
Stephan Scholz
Senior Security Consultant, Competence Center BISS (Bechtle Internet Security & Services)

A penetration tester is regularly confronted with the following mindset: “All you do is run a vulnerability scan and then send us the results in a report.” The difference and real benefit of a penetration test compared to an automated process is often not understood. A vulnerability scanner mainly provides the following: an overview of known vulnerabilities based on the software versions found. It’s more or less simply a statement of your patch status.

 

The path of less resistance.

The attacker is presented with a wide range of opportunities and attack methods. Before having to use tools to look for vulnerabilities to exploit, they use the simpler and faster methods such as checking for default passwords. Often printers, MFPs, VoIP phones, and other devices are in the company network with default passwords. The web interface and configuration can be accessed with a simple browser. These devices often store our passwords for accessing the Active Directory or file sharing. In the best case scenario for the attackers, they even come across domain admin credentials and in no time at all they have taken over the domain. A highly-critical vulnerability in your IT, that your vulnerability scanner won’t find.

 

The human factor.

Ransomware can now put entire production networks out of action and create huge amounts of damage in many companies. The extortionists are finding cleverer ways and scouting out companies thoroughly before acting. Research into social networks means attackers are able to create a personal organigram of a company’s key players. Those of interest are mainly management, employees with financial authority, and IT admins. A targeted e-mail with a malicious link or attachment is sent to infect workstations or encrypt systems. Such e-mails may also contain instructions to make unauthorised payments. If your IT department relies on an automated security check, highly-critical areas, such as e-mail security, often get missed.

 

Pseudo security through segmentation.

If you offer your customers internet services such as a web shop or service portal, you've most likely designed your environment according to best practices. A multi-tier architecture provides the means for an enhanced security level. The system's core components are distributed according to web frontends, application servers, and database servers. This multi-level concept creates a fortress through which an attacker must laboriously work their way through. Application-level vulnerabilities such as SQL Injection effortlessly filter down through the individual layers and allow direct access to the database server in the critical server segment from the internet. It is therefore important that web applications are checked, particularly those that are self-developed or commissioned. Whilst there are vulnerability scanners specially for web security, they can only be partially automatically tested. An understanding of the application and the logical sequence of the individual steps is needed here.

 

Bechtle Penetration Test – Expertise in all areas.

Our penetration tester was educated at the renowned SANS Institute and qualified via the GIAC/GPEN certification. The penetration tests are conducted in accordance with the Federal Office for Information Security (BSI). All three versions of the penetration tests ensure a very high level of quality. In the external test, we simulate an attack from the internet and check what can be accessed from outside. The internal test uses a standard LAN interface or WLAN as the gateway and checks the internal network. For self-developed web applications not based on a standard product, we recommend an additional web application penetration test where Bechtle conducts a deeper analysis of the application. You then receive a thorough and realistic assessment of your security level that goes far beyond that of an automated scan.

 

Would you like to learn more about this topic? Please contact us!