10 November 2023

“World More Than A Password Day,” which was recently announced by Nonprofit Cyber, encourages stronger online security and aims to help individuals and organisations to get it right by giving them practical guidance. At CREST we are delighted to be a part of this important initiative as one of Nonprofit Cyber’s coalition of cyber security non-profits, and alongside the 90 other organisations that have endorsed it.

But what’s wrong with passwords?

To put it simply, passwords are not secure because they can be guessed, stolen, or broken.

For example:

• People often use the same password for more than one service. If one account is hacked, this puts other accounts at risk too. For example, LastPass’s 2022 study on the psychology of passwords says that 62% of people use the same passwords more than once.

• People share passwords with each other all the time. This means that a business doesn’t know who can access what.

• Hackers can use brute force or guess weak passwords.

• Phishing emails and fake websites can be used to get people to give away their passwords.

• Keylogger software can get your passwords.

• Public Wi-Fi can be used to steal passwords.

Potentially the biggest problem with passwords is that while most people know they should use stronger passwords and not repeat passwords, they still all too often choose something that is easy to remember. The LastPass study also found that only 12% of people actually use different passwords for each account, even though 89% of those who answered said they knew that using the same or a similar password is risky. This big gap shows that being aware doesn’t always mean taking action, which is why this project is so important.

Why is stronger authentication needed?

There is no question that stronger authentication than passwords is needed in many cases, such as Banking Apps or access to corporate resources.

“World More Than A Password Day” wants to do more than just raise knowledge about the cyber risk involved associated with poor password habit. It also wants to give advice that really inspires people to take action. 

When a staggering 80% of data leaks are thought to be caused by weak or lost passwords, passwords that don’t change and are easy to crack are simply not enough. What is needed is stronger authentication methods than just passwords. And the change needs to happen now.

Only 2.6% of X users use MFA on their accounts, and almost half of all businesses don’t use it. And with so much of all of our personal and work lives online, this lack of authentication is a big concern.

Get help with your passwords

Nonprofit Cyber has put out Protecting Your Accounts and Devices: Common Guidance on Passwords as part of the first “World More Than A Password Day”.

This complete guide gives people and small businesses simple steps they can take to stay safe online.

90 organisations from around, including CREST and the other organisations that are part of the Nonprofit Cyber alliance, have provided input and endorsed this advice.

Key parts of the guidance

• Use Password-Free Authentication: opt for password-free (passwordless) authentication, such as passkeys. Passkeys are not only simpler to use but also more secure than traditional passwords.
• Secure Your Email Account: If using password authentication for email accounts, use a very strong password and multi-factor authentication.
• Add an Extra Layer of Security: Employ a hardware security key, authenticator app, or PIN via SMS as a “second factor” in addition to your password.
• Use a Password Manager: A password manager can help you create and store strong passwords for all your online accounts.
• Use Recommended Techniques to Pick Passwords: Select strong and memorable passwords through techniques like passphrases or the “Three Random Words” method.
• If You Are Hacked: Promptly change passwords if any of your devices are compromised or if an online service you use is hacked. Avoid reusing passwords and consider subscribing to services like https://haveibeenpwned.com/.

Get involved in the global movement

As part of this worldwide event –  “World More Than A Password Day” – we are urging individuals and businesses to use our guidance to make their online accounts and devices safer. Promoting awareness, regular membership or stakeholder interactions, and enhanced authentication techniques are examples of ways you can get involved.

Join #MoreThanAPasswordDay and help to redefine online security for a safer digital world.

The post CREST backs Nonprofit Cyber’s “World More Than A Password Day” appeared first on CREST.

5 September 2023
Tom Wedgbury, Boglarka Ronto, Abheijeet Udas, Abartan Dhakal and Miguel Marques.

Written in conjunction with the CREST Penetration Testing Focus Group Sub-Committee, this article is the first in a series of posts that take a deep dive into the disciplines of Vulnerability Assessment and Penetration Testing.

Vulnerability Assessment and Penetration Testing are both important tools for organisations to gain assurance of security within their environment. Often these terms are used interchangeably, however they are not the same thing. It is critical that organisations understand that these tests provide different levels of assurance and that both have a place in an organisation’s security roadmap, but for different reasons.

In this article, we explore the differences between Vulnerability Assessment and Penetration Testing, irrespective of geographical or regional nomenclature differences. We hope that this will allow organisations make more informed decisions about which cyber security services are most suitable for their requirements.

What is a Vulnerability Assessment? 

Vulnerability Assessment (VA) involves the use of automated techniques to map, scan, and identify security vulnerabilities within an environment. This is used to determine how susceptible the environment is to known and published vulnerabilities to give an overall view of its security posture. 

Automated tools such as vulnerability scanners are used to target internal or external networks, hosts, servers, applications, or wireless networks, amongst others. Often vulnerability assessments are conducted on a continuous and repeatable basis, e.g. daily, weekly, or monthly, to generate a report indicating risk exposure over time. Vulnerability scanners rely on using up-to-date plugins / datasets from the vendor for the identification of the latest vulnerabilities. The phases of a vulnerability assessment may vary depending on the delivering organisation and requirements. A typical engagement may look as follows:

1. Asset Discovery 
2. Vulnerability Assessment 
3. Result Analysis 
4. Reporting (Presentation of Findings)

What is a Penetration Test? 

Penetration Testing involves a combination of automated and manual techniques to identify and exploit known and unknown vulnerabilities within an environment, in addition to weaknesses or gaps in policy controls. This is more rigorous and intrusive than a vulnerability assessment and involves human interaction against the target scope. Testing is typically performed less frequently than a Vulnerability Assessment, often on an ad hoc, release or regulation driven, or annual basis, and scope may be narrower.

A penetration test also considers context when attempting to find or exploit vulnerabilities. For example, during a penetration test, an open file share could be explored for files containing passwords, and these passwords used against the environment to gain additional access. Another example could be taking advantage of a weakness and using the access gained to exploit trust relationships that other systems might have with the compromised system.

There are many variations of penetration testing and systems that can be targeted. This includes but is not limited to Web Applications, External Infrastructure, Internal Infrastructure, Cloud, Mobile, and IoT. It may also extend to Physical Security or Social Engineering.

Although many CREST member companies adopt the CREST Defensible Penetration Testing (CDPT) standard, the testing methodology varies between vendors. A typical penetration testing engagement may be delivered as follows:

1. Reconnaissance 
2. Vulnerability Analysis 
3. Exploitation 
4. Post Exploitation 
5. Reporting (Business Impact Analysis)

You can find out more about what makes a good pentest in the latest CREST Pentest Panel Session in this short video.

It is also important not to confuse typical Penetration Testing with Red Teaming, also known as Intelligence Led Penetration Testing. Where Red Teaming differs is that it mimics a real-world threat actor, using realistic tactics and techniques based on threat intelligence. The aim is to achieve a specific objective, testing an organisation’s ability to prevent, detect, and most importantly respond to attacks, rather than identifying and exploiting all vulnerabilities within a given environment.

Key differences at a glance:

In conclusion, Vulnerability Assessment and Penetration Testing are both crucial components of a comprehensive cybersecurity strategy. These types of assessments complement each other, but ultimately serve different purposes and are applicable to different aspects of a product lifecycle.

We hope that you have found this article useful and invite you to keep an eye out for part 2, where we will expand on this to consider outliers and regional differences in terminology you might encounter when procuring Vulnerability Assessment and Penetration Testing services.

About the authors

Tom Wedgbury, Managing Senior Security Consultant at LRQA Nettitude.

Tom leads a team of pentesters at LRQA Nettitude, a CREST member company and award-winning global provider of cybersecurity services.

Prior to moving into cybersecurity Tom started his career as a software developer, creating software and hardware solutions for collecting and analysing telecommunications data. As a result, he now specialises in application security, delivering penetration testing, source code review, and S-SDLC training across the industry.

Boglarka Ronto, Cyber Practice Lead at Resillion.

In her early career as a UNIX administrator, Boglarka realised how poorly understood cyber security was. This sparked a lifelong passion for the security industry, initially as a mentor and lecturer to IT and OT professionals, and later as a security tester and business leader.

As a female in cyber she is an advocate for the role of diverse groups in cyber, especially supporting those with early interest striving to enter the industry. Boglarka continues to promote the Penetration Testing Discipline of CREST globally, and regularly presents to and liaises with cyber professionals and industry bodies.

She leads the Cyber Practice for Resillion, an organisation with a focus on delivering quality in engineering, testing and assurance services.

Abhijeet Udas, Executive Principal Consultant at NCC Group and CREST Fellow.

Abhijeet is an accomplished and driven IT Security Consultant with extensive expertise and experience across the globe in the field. He has consistently demonstrated his dedication to IT security and his ability to deliver high-quality solutions and outcomes for clients across different industries.

Abartan Dhakal, Lead Penetration Tester at StickmanCyber.

Miguel Marques, Offensive Security Team Leader at Quorum Cyber.

The post A cyber buyer’s guide to Vulnerability Assessment and Penetration Testing: part 1 appeared first on CREST.