Ready for a job in Cyber Security?

Pentesting, LLM Risks, Latest Hacks & Top Cloud Threats

October 24, 2023

Good morning!

In today’s line up:

  • Does Pentesting have a future?

  • OWASP Top 10 security risks for LLM applications

  • Hack breakdowns - Okta and SolarWinds

  • Recommended reading - Top Threats to Cloud Computing

  • PLUS, cyber security career advice for those starting out!

What does the future look like for Pentesting?

I read an interesting posted this week, framing Pentesting as the dinosaur that just can't outrun the asteroid.

Here’s the position:

  1. Alternative testing options are booming. In 2020, Verified Market Research® forecast that the Dynamic Application Security Testing (DAST) market would overtake the Penetration Testing Market by 2028. We’re witnessing innovations in App Security Posture Management (ASPM) and Interactive Application Security Testing (IAST), making testing more affordable / accessible.

  2. Pentesting offerings have stagnated. Many dedicated Pentesting services are fancy portals with a bunch of consultants / testers behind them. For a large volume of common findings, scanners can do the same if not more than an experienced tester – quicker and cheaper.

  3. Pentesting services need innovation. SAST and TDD are being integrated into CI/CD pipelines meaning customers are increasingly catching the low hanging fruit before it even gets to testers. That’s not to mention the implications of LLMs.

Pentesting isn’t going anywhere as it offers a wide range of testing services not rivalled by the latest tools / solutions. But aspects of its offering are being addressed, which begs the question, what does the future look like for pentesting services?

Leaders in this domain must re-design their approach and innovate, or risk partial displacement.

OWASP Top 10 for LLM Applications

I’ve spoken a lot about LLMs, it’s hype season and I don’t expect developments in this arena to slow down any time soon.

OWASP has released its top 10 security risks for LLM applications:

  • LLM01: Prompt Injection - Manipulating LLMs via crafted inputs can lead to unauthorized access, data breaches, and compromised decision-making.

  • LLM02: Insecure Output Handling - Neglecting to validate LLM outputs may lead to downstream security exploits, including code execution that compromises systems and exposes data.

  • LLM03: Training Data Poisoning - Tampered training data can impair LLM models leading to responses that may compromise security, accuracy, or ethical behavior.

  • LLM04: Model Denial of Service - Overloading LLMs with resource-heavy operations can cause service disruptions and increased costs.

  • LLM05: Supply Chain Vulnerabilities - Depending upon compromised components, services or datasets undermine system integrity, causing data breaches and system failures.

  • LLM06: Sensitive Information Disclosure - Failure to protect against disclosure of sensitive information in LLM outputs can result in legal consequences or a loss of competitive advantage.

  • LLM07: Insecure Plugin Design - LLM plugins processing untrusted inputs and having insufficient access control risk severe exploits like remote code execution.

  • LLM08: Excessive Agency - Granting LLMs unchecked autonomy to take action can lead to unintended consequences, jeopardizing reliability, privacy, and trust.

  • LLM09: Overreliance - Failing to critically assess LLM outputs can lead to compromised decision making, security vulnerabilities, and legal liabilities.

  • LLM10: Model Theft - Unauthorised access to proprietary large language models risks theft, competitive advantage, and dissemination of sensitive information.

Read more here.

Another Okta Hack

Okta, a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit.

Here’s what you need to know:

  • Okta says the incident affected a “very small number” of customers, however it appears the hackers responsible had access to Okta’s support platform for at least two weeks before the company fully contained the intrusion.

  • The Okta share price has taken a big hit, providing us with a great case study to show our boards what can happen when companies experience a substantial hack – not to mention compromised trust, reputation and business.

  • The attack was discovered by Cloudflare (and follows a previous attack on Okta’s infrastructure) on 18 October 2023, and traced to Okta. It involved a valid authentication token being generated by adversaries, and then which they used to pivot onto Cloudflare’s Okta instance. Luckily, Cloudflare was able to isolate it and stop the attack from going any further.

  • If it had been successful, the adversary could have gained access to the authentication tokens used by Okta, and leveraged onto the Cloudflare infrastructure. This includes the usage of hard tokens for multi-factor authentication.

  • With Cloudflare’s Zero Trust architecture, the threat was easily detected and contained. But, for Okta, the details are worse, and where the adversary managed to hijack a session support ticket from Cloudflare. They then gained access to Okta’s customer support system and was able to customer-sourced files. Luckily, Cloudflare detected these accesses.

  • As for Okta’s customers, it is recommended that they enable MFA (Multi-factor Authentication) and do not just use hard keys to authenticate onto systems and that every suspicious access is logged and investigated. It is also recommended that key access passwords be changed.

SolarWinds Strike Again

Security researchers found three critical remote code execution vulnerabilities in the SolarWinds Access Rights Manager (ARM) product that remote attackers could use to run code with SYSTEM privileges.

  1. CVE-2023-35182 (9.8 severity): Remote unauthenticated attackers can execute arbitrary code in the context of SYSTEM due to the deserialization of untrusted data in the ‘createGlobalServerChannelInternal’ method

  2. CVE-2023-35185 (9.8 severity): Remote unauthenticated attackers can execute arbitrary code in the context of SYSTEM due to a lack of validation of user-supplied paths in the ‘OpenFile’ method

  3. CVE-2023-35187 (9.8 severity): Remote unauthenticated attackers can execute arbitrary code in the context of SYSTEM without authentication due to lack of validation of user-supplied paths in the ‘OpenClientUpdateFile’ method

Executing code in the context of “SYSTEM” on Windows computers means that it runs with the highest privileges on the machine.

It is worth noting that the company did not rate any of the security issues as critical and the highest rating is 8.8, for high-severity issues.

Read more here.

Top Threats to Cloud Computing - This report provides case study analyses for last year’s The Egregious 11: Top Threats to Cloud Computing and a relative security industry breach analysis.

Using nine actual attacks and breaches, including a major financial services company, a leading enterprise video communications firm, and a multinational grocery chain for its foundation, the paper connects the dots between the CSA Top Threats in terms of security analysis.

Are you ready for a job in cyber security?

I get messages every week from people wanting to know if they can:

  • Get into cyber without a degree

  • Get into cyber living in a specific country

  • Get into cyber via remote work

  • Get into a specific role with a certain background

Here is my advice:

  1. Reverse engineer job specs and build a roadmap – each requirement you can meet on a job spec opens the door up a tiny bit. The more you align with the spec, the wider the door opens. You can certainly get an interview with 50-70% of the requirements, but it doesn’t guarantee you’ll get it, even if you had 100% alignment.

  2. Lengthen your time horizon and remove expectations - People want quick results. They want to take a 2-week course and start applying for jobs – would you hire you? Take the pressure off yourself and focus on the learning journey. The more time you commit to training and development, the greater resource you become, the wider the door swings open for a role!

  3. Start small - Find joy / an area of interest and just dive in / immerse yourself. If you rush a course and are stressed / worried, you’re not going to enjoy the journey. You’ll become disinterested in security and forget why you started. Stop thinking about the job. Focus on the expertise and you’ll become undeniable.

  4. Don’t get caught up trying to look like an expert – people want to create cyber content without doing the work and getting the experience first. I encourage everyone to document their learning journey. It promotes reflection, enhances learning and is REAL. But, if you’re <6 months in, you’re in no position to be preaching about how security MUST be done… you’ve never really done it and that’s ok.

Regardless of your education, location, ambitions, or target role, it’s all possible with the right focus on training and development, a sensible time horizon to get there, and a genuine interest in what you’re doing.

Perspective

If you ever feel like you’re not progressing fast enough, just zoom out – you’re doing fine and are right on time.

Visual by Visually Needed on Instagram