Category: Test

Top Five Actions to Improve Your Cyber Security Posture

The current state of Australian security breaches has thrown organisations into chaos and disarray. Australia is currently 5th in the World for cybercrime density, and 11th in the World for the average cost of a data breach ($4.5m). However, most of these breaches could have been avoided had basic cyber security hygiene been implemented.

If implemented correctly, the five items detailed below will give your organisation a fighting chance when, not if, attackers attempt to breach your networks and applications.

1) Know Your Attack Surface

You can’t defend what you don’t know exists! Before you can start defending and monitoring your networks, applications and staff, you must first identify all the assets and areas of risk that make up your overall attack surface. Ensure that you undertake daily discovery scans and conduct a gap analysis of newly discovered assets.

Additionally, it is important to ensure that your asset management system is updated regularly, all newly identified assets are added to your vulnerability management program, and those security assessments are carried out routinely.

It should go without saying that these activities should be undertaken against your Internet-facing and internal, corporate assets.

2) Secure the Network Perimeter AND the Perimeter Endpoints

The saying “the endpoint is the perimeter” has become a marshalling slogan in recent times. Unfortunately, it is quite true.

Gone are the days when the network firewall was the only point of focus for security controls. Client-side attacks are often used to circumvent perimeter controls by targeting end users directly. Endpoint Detection and Response (EDR) security controls are now a ‘must-have’ to defend against these attacks.

On the flip side, attackers continue to relentlessly target web applications and cloud platforms. Next-Generation Firewalls (NGFW) and Web Application Firewalls (WAF) are great security controls to better secure your network perimeter.

It is critical to ensure that your Internet-facing systems are security hardened! This includes implementing Multi-Factor Authentication (MFA) and a SIEM (Security Information and Event Management) to keep a watchful eye over all of your infrastructure systems and applications.

3) Perform Routine and Comprehensive Security Tests

Penetration testing has become a multi-billion-dollar industry. However, most “penetration tests” are nothing more than vulnerability scans in sheep’s clothing. It is important to implement a multi-level security testing program to provide the best insight into the security risks affecting your systems. This includes

  • Daily Vulnerability Scanning.
  • Monthly Social Engineering (Phishing) Campaigns.
  • Quarterly Penetration Testing against your networks, applications, and cloud platforms.
  • Yearly Red and Purple Team assessments.

However, this should only be the beginning. Ensure that you have implemented a robust vulnerability management program so that all findings from these engagements are being addressed and remediated promptly.

It is critical that vulnerability scanning and routine penetration testing should be performed at a minimum, even if you’re on a budget. Oh, and don’t forget to rotate your service provider for these engagements.

Complacency is a killer!

4) Develop and drill your incident response capabilities

“Everybody has a plan until they get punched in the mouth.” – Mike Tyson

All Incident Response (IR) capabilities should always be routinely refined and tested to maintain their effectiveness, in the same way as sharpening a sword. This approach is critical to putting an organisation in the best possible position to combat the next attack threatening the business. This can be best broken down into three pillars; people, process, and technology.

  • People need to be appropriately trained.
  • Processes need to be in place and routinely tested (including policies and IR playbooks).
  • Technology needs to be deployed to ensure the best systems are in place to respond and defend against cyber attacks.

All three pillars should be reviewed and updated every six months to ensure they are still relevant to the business context and aligned with industry-standard best practices. A fantastic way of performing a simulation for your Incident Response capacities is to routinely undertake Purple Teaming assessments. After all, how do you know your sword is sharp unless you use it?

5) Train your Army

An untrained army will lose every battle, every time. Cybersecurity training is often seen as an expenditure as opposed to an asset. A well-trained Blue Team can save an organisation millions of dollars when a security breach occurs.

Cybersecurity training should always be approached from multiple angles.

  • Technical training for all IT Staff, including engineers and analysts.
  • Cyber security awareness training for all staff.
  • Specific awareness training for high-value targets such as CEOs and CFOs.

Remember that while cyber security training is important, it is just as important to put the training to the test by performing in-house drills. There are several budget-friendly alternatives to the big service providers, which can include web-based training providers or even implementing a train-the-trainer style approach. Now, go drill, drill, drill, soldier!

Although the five points above do not account for every approach you can take to harden your company’s security posture, it is a great starting point to ensure you don’t become the next news headline

Manual Security Testing vs Automated Scanning?

The art of penetration testing has evolved over the years. What began with testing arrows on armour, has now become testing tools and techniques on systems and applications. Without a doubt, we are still mostly using manually driven techniques, however this can be slow, cumbersome, and subject to the human element which can result in faults and missed opportunities.

Over the last decade or so, tools to aid and automate security testing have rapidly entered the fray and are increasingly taking the burden off some of the more time-intensive tasks in the cyber security sphere, such as scanning, brute-forcing, or even full-fledged attacks commanded with single line commands. Tools such as BurpSuite, Nmap, SQLMap, Metasploit, and Nessus, among many others, have certainly sped up the discovery and exploitation of vulnerabilities, allowing more in-depth testing within often limited test windows.

Looking at the bounty of tools available to us, you may start to wonder why manual testing is required anymore. Here is a quick rundown on some of the benefits and disadvantages of both, and how using both on engagements, big and small, can be greatly beneficial.

Manual Testing – The Old Reliable

Manual testing, simply put, is the act of using little to no automation for tasks. A great example of this would be the manual exploration of a website while data is being captured by BurpSuite, where the tester can manually analyse the headers and requests as its own task later, rather than immediately after every click.

Manual testing also extends to the exploitation stage of an engagement, where the tester may need to utilise very specific commands or customised scripts to achieve the desired result.

While manual testing can be very meticulous, and provide a detailed and deep understanding of the subject of the test, it can be very time-consuming, possibly taking days longer than an automation-driven test. There are some vulnerabilities that just simply can’t be automated entirely, or are very prone to false positives if automated, and therefore will require further investigation, possibly using more time than if done entirely manually from the beginning.

Some examples of vulnerabilities that require manual testing to correctly identify and safely exploit are:

  • Social Engineering
  • Access Control Violations
  • Password Spraying and Credential Stuffing Attacks
  • SQL Injection
  • Cross-Site Request Forgery (CSRF)

Another advantage of manual testing over automation is the ability to find, and use, newly or not yet discovered zero-day exploits, which can take a significant amount of time to be implemented into commonly used tools.

Automated Testing – The Shiny New Tools

Automated penetration testing is really what is written on the package – it is the process of utilizing automation tools, such as applications, platforms, and scripts, rather than the expertise and efforts of a human tester. It can be significantly cheaper and far more time efficient (which also adds to cost efficiency) than manual testing by one or more human ethical hackers.

Automation tools can perform actions such as content discovery, vulnerability analysis, and brute forcing, in a matter of minutes or seconds, where it could take a manual tester hours or days to get the same results. Automated tools, namely scanning, can be left to run in the background while manual testing is also performed, or set to periodically scan for issues, such as Tenable Nessus keeping an eye on things and providing reports at set intervals or upon request.

When it comes to regular penetration testing, companies factor in cost, and it can be rather expensive to hire human penetration testers for regular tests or as in-house, so it can be more cost-effective to have automated tools do the day-to-day, then infrequently have a human run further tests and analysis.

There is no doubt that automation is the way of the future, and will continuously improve; however, there are many tasks that are best suited to manual testing, either due to the simple inability to automate or due to the hassle of false positives (and false negatives).

Another advantage to automation is consistency, in both its actions and results, and with the reporting at the end. As the scans and processes run are mostly, if not entirely hands-off, there is less room for human error or deviation, and therefore don’t require a highly trained expert to perform the required tasks, which ultimately can save money for the organization. Automation, however, is often unable to fully assess a threat and how it can impact you in context to your application, platform, infrastructure, network, or organisation as a whole, which is something a sufficiently trained human penetration tester can do, and make new actions accordingly. A vulnerability that may be picked up and reported as a low finding by an automation tool, could have much more critical consequences when chained with other low, or even informational, vulnerabilities.

So, what’s better? A manual or automated approach?

Simply put, both manual and automated testing methods have their place, and should always be used in penetration tests of all kinds. The level of detail and effectiveness provided by manual testing is unsurpassed, as well as contextual reporting and risk analysis that simply cannot be provided by even the best automation tools on the market. However, where speed and consistency of tasks are concerned, automation wins without question.

Although both methods can provide you with a satisfactory outcome in terms of vulnerability identification, what is best for your organization will come down to what level of detail and quality your organisation requires, the frequency of the tests, and the cost factor.

Ultimately, a combination of both manual and automated testing is the best way to get the highest quality outcome of a penetration test, with the most efficient use of time and money, to bring you a greater assurance of security and peace of mind that your assets are secure from malicious attack.

Have You Considered “Swinging” With Your Pen Testing Provider?

Have you been in a long-term relationship with your existing penetration testing vendor?  

Starting to feel like it’s time to ‘spice things up’ a bit?  

It’s easy to settle into a partnership with a vendor that you’ve got to know, they’ve got to know you along with the more intimate details of your business, and all of the ‘skeletons in your closet’.  It takes time to build that level of trust and knowledge of your organisational context.  

Recently however, there has been a whole lot of whispering behind hands, and new security best practice guidelines being circulated, which suggests that a good cybersecurity strategy should involve regularly changing or rotating your chosen pen testing vendor.  There are a number of reasons to consider the idea of “swinging” with your current pen testing provider.

You Don’t Know What You’re Missing Out On…

Familiarity breeds complacency.  And complacency deprives people of opportunities and brings growth to a standstill.  

If you’re not trying something new, you will always have reasonable doubts that your current vendor might be missing something when it comes to testing methods, skillsets or risk prioritisation. A different pen tester may have slightly different methodologies which could potentially unmask a previously unidentified vulnerability.   They may also report on vulnerabilities in a different way to what you have got used to – and who knows, you might just prefer it that way.

No Pleasure Endures Unseasoned By Variety…

No two pen testing companies are the same.  They come in differing sizes, they come with differing areas of expertise, differing levels of expertise, differing certifications, knowledge of particular industries, the list goes on.  By rotating partnering companies with varying skills, you can take advantage of each vendor’s proclaimed “specialist knowledge” to hedge your risk, and ensure you have the most appropriate pen tester for every engagement.

Rev Up The Relationship With A Little Healthy Competition

Changing up or rotating your pen testing vendors should not become a cut-throat activity, however there are some positive benefits that come with a little healthy competition.  The incoming testing partner will have the motivation and desire to please, they will be going the extra mile to deliver an improved outcome for you.  This, in turn, may drive a boost of creativity and innovation from your existing vendor, who will want to make sure the sparks are still flying, and you still recognise the value that they bring to the relationship.

As with all good relationships, new and existing, being open and transparent about what you’re looking to get out of the partnership is the key to a successful journey.  

At the end of the day, maximising your security posture is the number one goal, and if that means playing the field to see what else is out there, that may ultimately be the best decision for your organisation.  

It doesn’t mean you have to say “Au Revoir” to your long-term pen testing partner. It could simply be time to introduce a fresh perspective into the equation.  

JDS are keen to get in on the action.

What It Means To Be CREST (Intl) Accredited

Anyone with a computer and an Internet connection can set themselves up as a penetration testing or cyber incident response service provider.  These could include irresponsible organisations that do not have in place policies, processes and procedures to ensure quality of service and protection of client based information.  The individuals employed by these companies may have no demonstrable skill, knowledge or competence in the provision of security testing.

CREST is an International not-for-profit accreditation and certification body that represents and supports the technical information security market. CREST requires a rigorous assessment of business processes, data security and security testing framework to demonstrate a level of assurance that the information security methodologies used can competently and securely provide customers with a robust assessment of their cyber security posture.

As a result, CREST only provides accreditation to highly trusted professional services organisations, and their employees who provide the often sensitive and high-risk penetration testing, cyber incident response, threat intelligence and security operations centre services.

All CREST accredited member companies are required to submit policies, processes and procedures relating to their service provision to provide added assurance for the buying community.  These policies, processes and procedures include:

  • References for certified individuals
  • Assignment preparation and scope processes
  • Assignment execution processes
  • Technical methodology
  • Reporting templates
  • Data storage and Information Sharing policies
  • Post technical delivery methodologies
  • Asset/Information/Document storage, retention and destruction processes

The buying community needs to be in a position where it can procure services from a trusted company with access to demonstrably professional technical security staff.  CREST provides the buying community with a clear indication of the quality of the organisation and the technical capability of staff they employ.

JDS is a proud CREST (Intl) accredited member company who can confidently provide our customers the added reassurance that our services meet the highest professional and security standards.

Five Reasons Why Your Organisation Should Be Penetration Testing

Modern businesses require an advanced approach to security and due diligence.  Having anti-virus software and a firewall is no longer an efficient strategy to prevent highly sophisticated security attacks which can result in irreversible damage to your organisation.

A professional penetration testing service is the best way to identify the strengths, weaknesses and holes in your defences.  Read on to uncover the five best reasons why your organisation needs penetration testing.

1. Protect Your Organisation From Cyber Attacks

Reports of cyber crime within Australia have increased nearly 15% each year since 2019, with the average reported financial loss per successful cybercrime incident being $50,673. Regardless of your organisational size or sector, cyber criminals view every business as a potentially exploitable prospect. The internet is continuously being scanned in search of vulnerable systems.  Carrying out penetration tests will enable you to identify vulnerabilities that are most likely to be exploited, determine what the potential impact could be, and enable you to implement measures to mitigate or eliminate the threat.     

2. Identify and Prioritise Vulnerabilities

Put simply, a pen test will uncover all of the potential threats and vulnerabilities that could damage your organisation’s IT assets.  The resulting report prioritises these vulnerabilities from low to critical, and further categorises them by likelihood and impact.  This gives your team a clear picture of your security posture, and the opportunity to mitigate the greatest threats first before moving on to less risky ones.

3. Stay Compliant With Security Standards and Regulations

Regular penetration testing can help you to comply with security standards and regulations such as ISO 27001 and PCI.  These standards require company managers and system owners to conduct regular penetration tests and security audits to demonstrate ongoing due diligence and maintenance of required security controls. Not only does pen testing identify potential vulnerabilities, ensuring that you are protecting your customers and assets, but it also helps to avoid costly fines and fees connected with non-compliance. 

4. Reduce Financial Losses and Downtime

Recent studies have reported that the average financial impact of a major data breach in Australia is around $3.7million per incident.  This takes into account expenditures on customer data protection programs, regulatory fines, and loss of revenue due to business operability.  System downtime is incredibly costly – the longer your system is down, the more exorbitant the cost.  A penetration test is a proactive solution to highlight and fix your system’s most critical vulnerabilities, and ensure your team are ready to act if your systems were to go down unexpectedly. 

5. Protect Your Reputation and Company Loyalty

Consumers are extremely quick to lose trust in companies and brands, and all it takes is one security breach or data leak to tarnish your reputation.  Customers and partners of your organisation want to know that their private data is safe in your hands, so it is in your best interest to be aware of any vulnerabilities which may put the company’s reputation and reliability in jeopardy.  

This is just a handful of reasons why organisations should carry out regular penetration tests, but there are many more.  Connect with JDS to discuss your pen testing needs and get a full scope of work customised to your requirements.

Accelerate upgrades with ServiceNow Automated Test Framework

Upgrade more often

In 2019, ServiceNow will move to “N-1” upgrades, meaning you can’t be more than one release behind before ServiceNow will force the upgrade to your platform, ready or not.

It’s nothing to be afraid of. The evolution of enterprise to the cloud means we can break free from the shackles of the old on-premise software model. ServiceNow takes care of all the back-end technical changes, which eliminates a lot of the burden that has made upgrades slow and expensive.

Your challenge now is to make sure that nothing in the upgrade process disrupts your business. Test automation with ServiceNow ATF can help – see our technical post here for more on that.

Accelerate test automation with JDS Kick Start

We can help you get started with ServiceNow ATF. In just a few days, the JDS ServiceNow ATF Kick Start engagement will provide you with the detail you need to scope and plan automation of testing across your platform.

JDS brings over a decade of experience in test automation, and our experienced ServiceNow team can help with a rapid assessment of your platform.

JDS ServiceNow ATF Kick Start includes:

  • Identification of the top use cases that are candidates for automation
  • Joint review and refinement of use cases
  • Report and recommendations for automation

Call us

To find out more and to book a Kick Start – email [email protected] or call 1300 780 432 to reach our team.

We partner with leading technologies

Citrix and web client engagement on an Enterprise system

JDS was engaged by a leading superannuation firm to conduct performance testing of their enterprise applications migrating to a new platform. This was part of a merger with a larger superannuation firm. The larger superannuation firm was unaware of their application performance needs and until recent times, performance was not always a high priority during the test lifecycle.

JDS was brought in to provide:

  • Guidance on performance testing best practice
  • Assistance with performance testing applications before the migration of each individual super fund across to the new platform
  • Understanding the impact on performance for each fund prior to migration

During the engagement, there were multiple challenges which the consultants faced. Listed below are a few key challenges encountered, providing general tips for performance testing Citrix.

Synchronisation

You should have synchronisation points prior to ANY user interaction i.e. mouse click or key stroke. This will ensure the correct timing of your scripts during replay. You don’t want to be clicking on windows or buttons that don’t exist or haven’t completely loaded yet. For example:

ctrx_sync_on_window("Warning Message", ACTIVATE, 359, 346, 312, 123, "", CTRX_LAST);
ctrx_key("ENTER_KEY", 0, "", CTRX_LAST);

Screen resolution and depth

Set your desktop colour settings to 16bit. A higher colour setting adds unneeded complexity to bitmap syncs, making them less robust. Ensure that the display settings are identical for the controller and all load generators. Use the "Windows Classic" theme and disable all the "Effects" (Fading, ClearType, etc.)

Recording

Your transactions should follow the pattern of:

  • Start transaction
  • Do something
  • Synchronise
  • Check that it worked
  • End transaction

If you synchronise outside of your transaction timers, the response times you measure will not include the time it took for the application to complete the action.

Runtime settings

JDS recommends the following runtime settings for Citrix:

Logging

  • Enable Logging = Checked
  • Only send messages when an error occurs = Selected
  • Extended logging -> Parameter substitution = Checked
  • Extended logging -> Data returned by server = Checked

Citrix 1

 

Think time

Think time should not be needed if synchronisation has been added correctly

  • Ignore think time = Selected

Citrix 2

Miscellaneous

  • Error Handling -> Fail open transactions on lr_error_message = Checked
  • Error Handling -> Generate snapshot on error = Checked
  • Multithreading -> Run Vuser as a process = Selected

Citrix 3

ICA files

At times you may need to build your own ICA files. Create the connection in the Citrix program neighbourhood. Then get the wfclient.ini file out of C:\Documents and Settings\username\Application Data\ICAClient and rename it to an .ica file. Then add it to the script with files -> add files to script. Use the ICA file option for BPMs/load generators over the "native" VuGen Citrix login details for playback whenever possible as this gives you control over both the resolution and colour depth.

Citrix server setup

Make sure the MetaFrame server (1.8, XP, 3, or 4) is installed. Check the manual to ensure the version you are installing is supported. Citrix sessions should always begin with a new connection, rather than picking up from wherever a previously disconnected session left off, which will most likely not be where the script expects it to be.

Black screen of death

Black snapshots may appear during record or replay when using Citrix Presentation Server 4.0 and 4.5 (before Rollup Pack 3). As a potential workaround, on the Citrix server select Start Menu > Settings > Control Panel > Administrative Tools > Terminal Services Configuration > Server Settings > Licensing and change the setting Per User or Per Device to the alternative setting (i.e. If it is set to Per User, change it to Per Device and vice versa.)

Lossy Compression

A script might play back successfully in VuGen on the Load Generator; however, when running it in a scenario on the same load generator, it could fail on every single image check. This is probably a result of lossy compression—make sure to disable it on the Citrix server.

Script layout

Put clean-up code in vuser_end to close the connection if the actions fail. Don't put login code in vuser_init. If the login fails in vuser_ init, you can't clean-up anything in vuser_end because it won’t run after a failed vuser_init.

JDS found performance issues with the applications during performance tests; however, these issues leaned towards functional performance issues more than volume. They were still investigated to provide an understanding of why the applications were experiencing performance problems.

The performance team then worked with action teams to assist with any possible performance resolutions, for example:

  • Database indexing
  • Improvements to method calls
  • Improving database queries

Tech tips from JDS

ServiceNow performance testing tips

Although ServiceNow comes prepackaged with a wide array of prebuilt applications, it’s possible to extend these and develop entirely new applications, and this is where performance problems may arise.

Out-of-the-box, ServiceNow is a fast, robust, secure SaaS platform. ServiceNow is designed to be extended and modified, but customers need to understand those points where performance issues may arise.

Slow loading forms can be a source of user frustration and hinder user uptake. Forms are an area where performance problems can be encountered because customers need to implement additional layers on top of the standard system to incorporate their own business logic. These layers can also build up incrementally over time which can result in reduced performance from one year to the next.

It’s important to understand what business rules and scripts are executing, and in what order, when a record is loaded in a form. This will allow us to better understand where performance issues may arise.

ServiceNow Forms

 

As you can see from the diagram above, there are business rules which execute on the server and scripts which execute on either the client or the server. Both can be a source of performance issues if not managed carefully.

 

Where possible, synchronous scripts should be avoided as the user will be forced to wait for the network/server response to arrive before they can continue their work. As tempting as it is to use asynchronous scripts to enhance the information available to users on a form, this still requires additional communication across the network to ServiceNow. JDS recommends using asynchronous calls sparingly, as there are other means of preloading information, such as using the g_scratchpad.

 

There are four ways of dynamically incorporating additional information into a form in ServiceNow:

  1. g_scratchpad
  2. GlideAjax
  3. GlideRecord
  4. g_form

 

Most ServiceNow administrators are familiar with GlideRecords and g_forms, but these have the heaviest overhead from a performance perspective, as they retrieve all the fields from a particular record when only one value may be needed. To avoid performance issues, you should consider using the g_scratchpad object where possible.

 

What is the g_scratchpad object?
The g_scratchpad object is a simple way of pre-fetching values that are needed on a form. Avoid making additional server calls from the client by anticipating the need for information ahead of time.

 

g_scratchpad
Using the g_scratchpad object is easy.

 

The scratchpad is whatever you need it to be. You define the keys and values you want. Simply load up the g_scratchpad object with whatever information is needed by the form, and then refer to it from the form using Client Scripts.

 

Here’s an example from the ServiceNow Wiki.

Display business rule
g_scratchpad.instanceName = gs.getProperty('instance.system.property');
g_scratchpad.hasAttachments = current.hasAttachments();
g_scratchpad.createdBy = current.sys_created_by;

You can then use this information in your client script without the need for an ajax call.

Client Script
// Check if the form has attachments
if (g_scratchpad.hasAttachments)
// do something interesting here

// Check if this is TEST instance
if (g_scratchpad.instanceName == ‘TEST’)
g_form.setDisplay('test_field', true);

Sometimes, GlideAjax or other methods will be required when information is needed dynamically, but you should carefully consider whether the g_scratchpad can be used before looking at other approaches. JDS recommends developers consult ServiceNow’s own Client Script Best Practices article for more information on this topic.

Why performance test ServiceNow?
When dealing with custom business logic, performance testing ServiceNow can be extremely beneficial. In past performance tests JDS has completed for various multinational companies, JDS has discovered database issues, slow responses for certain forms and also discovered that users from different locations around the world could have an impact in response times. Finding database issues and slow response times prior to going live has allowed these companies to address the problems before launch, helping them achieve their goals of streamlining business processes rather than causing more frustration for employees.

Performance is an important part of the user experience, and is key to ensuring the uptake of ServiceNow within your organisation.

Tech tips from JDS