IT Life: A Pen Test Is Mightier Than A Promise

Ken Munro is a senior partner Pen Test Partners, having previously founded SecureTest, now part of NCC Group, and held various positions with security experts Vigilante of Denmark and Network Associates as well as the anti-virus software provider Dr Solomon’s.

He’s a regular speaker on security issues and takes great delight in highlighting vulnerabilities in software and hardware: “I really enjoy translating technical vulnerabilities and exploits into tangible organisational risk, giving them a “face” which people can recognise and react to appropriately,” he says.

Dissecting an ATM hack

What has been your favourite project so far?
So many to choose from. Possibly an ATM hacking incident which we were asked to investigate. I guess you’re familiar with the Ploutus ATM malware that was presented at CCC last Xmas? We were involved at a much earlier stage, and were the first to reverse engineer it, recreating the complete hack. It was fascinating, unpicking some fairly high grade malware with a very specific purpose – stealing cash and emptying ATMs.

We obviously couldn’t say a word about the project, but it seems someone else got hold of the malware, possibly via a submission to Virus Total (not us I might add!) and published the detail at the CCC event. It was interesting watching someone else reverse engineer it several months after we had.

That said, another project I loved was testing a control system for a set of traffic lights. I remember years ago being sat on a street corner causing chaos as we found vulnerability after vulnerability in the system, switching lights on and off. It appealed to the child in me!

Fortunately the client had people directing traffic, so no crashes were caused, and the issues were all fixed before the system was used more widely. At the time it wouldn’t have been difficult to create a mobile device that could change the lights on demand. Fancy green lights wherever you drive?

What tech were you involved with ten years ago?
2004 wasn’t long after SQL injection was first uncovered. That was a real game changer; instead of security being about networks, servers, services and firewalls, it moved very rapidly in to the application layer.

Testing apps well requires significant application development expertise, so conventional infrastructure pen testers either had to learn very fast, or we had to go out and recruit a new set of skills. Fortunately, the son of the landlord in the pub two doors from my house was a very capable developer. An interview over a couple of pints later and he still works with me today!

Wearables will make it eventually

What tech do you expect to be using in ten years’ time?
I’m really interested in wearable tech. Google Glass doesn’t quite cut it for me, a bit chunky and invasive to conversations, but a very interesting concept.

We expect to be continually connected, using mobile devices, so anything that helps ease the interface between human and machine is bound to be adopted in time.

New tech always creates interesting security challenges too. I remember a few years ago looking at IP enabled building management systems and fire alarms. The vendors of these technologies had no idea about security, so we had fun showing how to unlock doors, switch off the air conditioning in server rooms and set off alarms. That particular sector has had to learn about security the hard way.

Tell a story, not a lie

Who’s your tech hero?
Dr Alan Solomon of anti-virus fame. I learned from him that technology has to appeal and be made interesting. Why were his stands at trade shows rammed all day? Because he knew that if you made tech interesting and entertaining, telling a story, then people would stop and listen.

I still have a pair of the famous Dr Solomon’s socks, and you can order a free pair of Pen Test Partners socks from our web site. Great ideas aren’t necessarily original!

Who’s your tech villain?
Generally, snake oil vendors aka tech companies that over hype their offerings. If you’ve got a good product, be honest about it. Don’t tell me that it will solve my PCI compliance issues because it won’t.

Vendors that rush product to market without adequate functional and security validation, leaving early adopter customers seriously vulnerable are another bugbear.

Similarly, companies that say they ‘take security very seriously’ which probably means they don’t. Companies that do take it seriously blog about it, they talk about incidents, they interact with industry and they respond really quickly. Try alerting Facebook to a cross site scripting bug – it will be fixed in minutes!

Commodity tech may not be secure

What’s your favourite technology ever made? Which do you use most?
Hard to say, but I use TCP/IP quite a lot. As a penetration tester, I generally look at any technology and try and figure out how it works. For me its not always about the functionality; it’s often about the inherent vulnerability. Take the Tesco Hudl. Great idea producing a commodity tablet and over half a million have shipped but I was intrigued to see how secure it would be. The answer is not very; you can read everything (usernames, passwords…) direct from memory by connecting a USB cable. PIN locked or not A colleague has one; he now only uses his as a glorified radio alarm clock.

What is your budget outlook going forward? Flat? Growing?
On the up, reflecting the growth in security generally. Society’s growing reliance on connectivity means IT security is growing in importance but there is also a recogition that industry specific security controls are the way to go. So we’re seeing demand from sectors that were relatively insular before. Energy and utility companies, for instance, are using IP connectivity to upgrade, generate economies of scale and even collect big data and with that comes greater risk of attack. Similarly, the financial sector is now much more aware of the cyber threat and we recently advised upon the development of the CBEST standard to address threats specific to this industry.

Apart from your own, which company do you admire most and why?
I admire companies that are fleet of foot and market themselves, agile ones, that grab market share and leave the competition reeling. Just as there is disruptive tech, there are disruptive companies. New media and the mobile have allowed some really innovative companies to come to life and challenge the way things are done. Examples include AirBnB with hotels, and Lyft/Uber/Car2Go for taxis and car rentals, and  Dollar Shave Club all take a fresh look at meeting demand.

What’s the greatest challenge for an IT company/department today?
Communicating risk to the board; security has too long been seen as an ‘IT’ problem, yet it’s not. It’s a core business risk that needs to be understood at the highest level of the business. This is partly down to communication. IT departments would do well to learn to speak in terms that senior execs understand. Be prepared for the question ‘will it happen to us’ when the CEO sees yet another breach on the news.

When you say ‘we’re doing all the right things’ – are you? How do you know?

Keep an eye on the EU Data Protection Directive. It’s another game changer. It could well tighten disclosure practices and companies will need to comply or face some highly punitive consequences.

To Cloud or not to Cloud?
Cloud. Although I do dispute that it’s a new technology. We’ve had the Cloud for at least fifteen years in one shape or form: take Hotmail. There’s no real reason to regard the cloud as any less secure than any other network. It’s all a matter of access and security. Do use the cloud, but treat it with the same distrust you would any other untrusted network.

What did you want to be when you were a child?
I think I wanted to design and build oil rigs, following my grandfather, but they do look a bit chilly out on the North Sea in the winter. Then again, a pen testers life in a cold datacentre isn’t much different!

Watch the watchdogs!