Suggested Solutions

Regarding People

A pen test team needs to recommend mitigation solutions for people, processes, and technology to deal with any discovered vulnerabilities. These all need to be considered together so that your recommendations don’t result in gaps. All three of these factors often overlap, so hardening one without hardening the others will still result in vulnerabilities. It’s also important that the security strategies you recommend balance security and functionality, as sometimes these concepts clash.

When it comes to people, they always have been, and probably always will be, the weakest link in security. In addition to plain old human error, people are also vulnerable to the many social engineering attacks you have seen previously in the course.

Some of the mitigation strategies and techniques you should recommend that clients implement include the following.

Mitigation Strategy	Description
Implement technical controls	Start with as many technical controls in place as possible to preempt the risk created by careless people. While technical controls can’t compensate for carelessness entirely, they can still go a long way in mitigating it.
Have management set the security tone and lead by example	Cybersecurity is often about leadership and good people management. If end users see that the organization’s leaders take security seriously, they are more likely to model those same behaviors to keep systems and resources secure.
Train people in proper security measures	General education about security, training on security in relation to their job duties, and follow-up training on a periodic basis go a long way in ensuring people know what to do to maintain security. Humor is often useful in getting a point across, but be sure that the message is not lost. Whatever tactics are used in the training, sell people on implementing what they are learning.
Constant reinforcement and reminders	Post reinforcement and reminders around the workplace. Change the postings regularly or people will stop “seeing” your messages.
Implement penalties for non-compliance	Ensure everyone understands the penalties for non-compliance. Be sure to enforce the penalties you determine are required for your environment. If possible, give people a chance to make up for/fix errors, especially those people that are new to the process. Some errors might deserve more severe penalties than other errors based on the organizational needs.
Reward groups that have no incidents	Much like a safety award that is presented to a department that has no incidents during a given period, consider implementing a rewards and recognition program for departments with no incidents during the given period of time.
Avoid complacency	Don’t let people become complacent. This is when incidents that could have been avoided tend to occur.
Give users a sense of ownership in the process	Adopt an “if you see it, report it” posture with rewards and sense of community. People need to “own” something to care about it.

End-User Training

Remediation should include requiring end-user cybersecurity training for all employees. The users should be able to identify why it is important that everyone does their part in keeping the organization and its assets secure. Training should include:

How to spot threats they might encounter on the job.
The consequences of succumbing to threats.
Tools to mitigate threats.

If users find a suspicious device, they should be aware that they need to let the IT department know about the device. This includes items such as USB drives, tablets, laptops, and routers that they haven’t seen previously. The IT department should have resources and procedures in place for what actions to take if such a device is found. This might include testing the device in a sandbox environment or connecting it to an air-gapped computer.

Regarding Processes

People put processes in place. Workplace processes often just evolve out of convenience or expediency. There’s a workplace tendency to just follow established procedure without greater consideration for efficiency, effectiveness, or security. Yet, processes that make people inattentive provide loads of opportunity for social engineering, physical attacks, and insider threats, such as fraud and abuse. Many of the costs due to process insecurity are soft or hidden, making them difficult to find and mitigate.

Some of the mitigation strategies and techniques you should recommend that clients implement include the following.

Mitigation Strategy	Description
Implement technical controls	Just as with mitigating problems regarding people, for processes, start with as many technical controls in place as possible to preempt the risk of poorly designed or implemented processes.
Have managers take an active role	Management needs to model the behavior they expect throughout the organization. If they are lax about security, their employees will also tend to be lax about security. Managers must have the discipline and take the time to pay attention to security concerns. The justification is that it’s more efficient and will save money and resources in the long run. Managers cannot be absent. They absolutely must not tell people to do something differently without training, guidance, leadership, and follow up; without doing these things, the effort will fail for sure. After all, it’s difficult to get people to change their ways. Use psychological tactics to trigger in people’s minds that things are different. For example, alter the work environment by moving furniture, changing lighting, etc.
Review processes	Regularly review both people and technical processes for security vulnerabilities. Conduct regular review and auditing to see if people are actually following requirements. Regularly test technical processes with “unhappy path” negative testing to see if misuse cases can bypass security. Example: A CFO might be examining the input and output of the accounts payable process and be unable to determine where hundreds of thousands of dollars disappear to each month. Imagine if somewhere in the batch payment authorization to the bank, someone is sneaking in unauthorized payment requests to unknown overseas vendors. This would be a huge problem in the process, implemented by a person (or persons).
Put key performance indicators (KPIs) in place	Have KPIs in place so management can monitor effectiveness, see security process improvement and return on investment (ROI), and intervene in consistently weak areas.
Update processes when needed	When people-based processes must be updated, make sure the reasons are well understood. Also make sure the penalties for non-compliance are well understood. Since changing culture is difficult, turn it into a project with benchmarks, milestones, and rewards. Using whatever methods are needed, get everyone on board. When technical processes must be updated, treat it like any upgrade. Have KPIs to prove it’s working. Have emergency rollback plans in place. Implement the update in controlled phases.

Regarding Technology

Implementing mitigation solutions using technology often involves a direct cost that the organization needs to budget for. Management always tries to get the maximum value out of an investment, so if the solution you recommend doesn’t fully meet their needs, they might be reluctant to spend more money on more technology to secure their network and resources.

Some of the mitigation strategies and techniques you should recommend that clients implement include:

Have IT run monthly vulnerability scans.
Have annual security audits/pen tests.
Have KPIs that management can use at-a-glance to see the security effectiveness of new technology. Examples include:
Overall security incident trends.
Length of time between a discovered vulnerability and remediation.
Length of time between incident/problem and recovery/resolution.
Rate of recurrence of the same security problem.
Follow the 80/20 rule in risk reduction.
Implement multiple layers of security, each targeting at least 80% of coverage. Cumulatively, each layer will compensate for gaps in other layers, and together they will narrow the attack surface.
80% of vulnerabilities can be remediated with 20% of the cost and effort.
Some technology solutions to consider include:
To counter ARP poisoning, write static ARP tables on critical hosts or implement an intrusion detection system (IDS) that can monitor for ARP poisoning attacks and block such traffic.
To counter SSL strip, configure the server to use HTTP Strict Transport Security (HSTS). This instructs the browser that its connections can only use HTTPS, and never HTTP. Setting HSTS is as easy as configuring the server to always set a Strict-Transport-Security response header.
Counter downgrade attacks by configuring a server to use only the latest version of TLS and not permit insecure, legacy versions of SSL.

People, Processes, and Technology

Again, you need to balance technology with processes and people. For example, putting up a cement wall will help prevent access through the door that used to be where you put up the wall, but employees will no longer be able to access the area behind the wall without a door. This is an extreme example, but be sure to consider ease of use against the need for security; if the security procedure is too complicated or odious, users will find ways to bypass it, resulting in a less secure environment.

Often when a password is easily cracked, it is due to people, process, and technology problems in concert. The organization might have a password policy in writing, but if it isn’t being ensured through technological measures, this can leave the password vulnerable to attack. If users create too simple of a password that is easily cracked, that is one end of the spectrum; if they make it so complicated that they need to write it down somewhere, they are meeting complexity requirements but are still leaving themselves open to social engineering where someone could just come into their space and find where the password was written down.

Categories of Findings

The following table lists some of the findings that are often discovered during pen testing and some remediation measures to consider taking. There are often more remediation measures the client can take to address a particular vulnerability. You should present as many as you have time to include in your recommendation to the client. Giving the client options enables them to choose the solution that is right for them and their organization. One might be cheaper or easier to use, but another might be more comprehensive, reliable, or more certain of mitigation success.

Finding	Remediations
Shared local administrator credentials	Avoid sharing login credentials if at all possible. Require users to use their own credentials for accountability if possible. If credentials must be shared, randomize them. This is often accomplished by having multiple names and passwords in a database, and then a mechanism is used to select a different set of login credentials each time a user logs in. Even if the credentials are compromised, they will not be valid for too long because the next time someone logs in to that system, a new set of credentials will be rotated into effect, making the one the attacker stole useless. Randomization of credentials can also help prevent lateral access. Use Local Administrator Password Solution (LAPS), which is a Microsoft solution that uses Active Directory (AD) to store local administrator passwords of computers that are joined to the domain. AD access control lists can then be used to protect the local account passwords so that only authorized users can read or reset the local password.
Weak password complexity	Configure minimum password requirements. Minimum length of at least 8 characters is recommended. Don’t allow users to reuse passwords. Require at least one number, one letter, and one special character. Implement password filters that enable implementation of password policies and change notification. Filters enable the administrator to require that users follow specific rules when creating their passwords. This goes beyond what can be set up using Group Policy for password complexity requirements.
Plaintext passwords	Use protocols that hash or encrypt the password rather than those that store or transmit passwords in plaintext.
No multi-factor authentication	Implement multi-factor authentication in applicable systems.
SQL injection, XSS, and other code injection	Sanitize user input in web apps. Use parameterized queries in web apps.
Unnecessary open services	Perform system hardening and close any unneeded ports or services.
Physical intrusion	Implement physical controls to detect, deter, and stop attacks: Security cameras. Security guards. Motion detectors. Fencing and gates. RFID systems that use encryption.