Privacy from a pentesters’s perspective

Introduction

Traditional penetration testing is associated with technical exploits, unintended code execution, and the discovery of new vulnerabilities. Clients hire penetration testers to identify flaws in their systems, resulting in reports containing a list of findings ranked on a severity scale. In the case of the Common Vulnerability Scoring System (CVSS), severity is calculated based on ease of exploitation, potential impact, and confidence among other things.

The existence of mismanaged or exposed data can impact organizations significantly. Deletion or modification of business-critical data can lead to downtime and major operational setbacks. Mature backup routines can help to mitigate threats to the I (Integrity) and A (Availability) of the CIA triad, but not the C (Confidentiality).

The confidentiality of data has become an important concern for many organizations as regulatory requirements continue to increase. Organizations who do business in the EU/EEA are required to follow regulatory frameworks such as the General Data Protection Regulation (GDPR), the NIS Directives and more sector specific regulations such as DORA.

Whereas GDPR is centered around the processing of personal data, the NIS Directives affect all entities that provide essential or important services to the European economy and society, including companies and suppliers. Breaches in such regulatory frameworks can lead to both severe fines and loss of public and client trust, which could endanger the organization’s operational ability.

The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. (https://gdpr.eu/fines/)

A penetration test can bring a lot of value in identifying data processing that is in violation of internal policies and regulatory requirements. Findings relating to exposed customer data is received very well by clients, and is often a clearer indicator of risk for a system owner or executive than a technical vulnerability. Different penetration test perspectives highlight different types of privacy related risks, which I will expand upon below.

Internet-facing perspective

Internet-facing services such as web applications are usually accessible from the entire internet. Applications that contain sensitive data rely on strong authentication and authorization schemes to protect their data from unauthenticated visitors.

The number one category in the 2021 version of the OWASP Top 10 was Broken Access Control, and with good reason. Failing to consistently apply access control in an application can expose users’ personal data for the entire world to see. It could also enable attackers to compromise other users’ accounts, leading to impersonation and in some cases elevation of privilege in the application.

Penetration testing is an effective means of uncovering privacy issues in internet-facing applications, whether the issue is caused by technical vulnerabilities or misconfigured access control.

Post-breach perspective

Internal zero-trust is a stretch goal for many organizations, as access to resources and information based on an identity or person’s exact needs reduces risks associated with cyber breaches and malicious insiders in their organization, although at the cost of increased administrative effort. Widespread access to unauthorized information such as sensitive HR documents could lead to significant fines if reported to governmental authorities.

Many well-established organization’s internal IT environments have undergone a lot of changes since their initial implementation, leading to unintended permissions and insecure configurations over time. Some environments have grown so large and complex that it has become nearly impossible for IT staff to properly govern the accounts and permissions within their environment.

Common issues include file storage locations with overly permissive permissions such as network shares, SharePoint and OneDrive, as well as anonymous login to services like FTP.

Data misplacement and storing secrets such as passwords in files is also a common finding in many penetration test reports. Such issues can be very pervasive in large, complicated environments, and are at times very difficult for IT staff to detect.

Authenticated penetration tests of both cloud environments and on-premises networks is an effective tool to identify risks associated with access control and deviations from best practices.

Conclusion

Privacy is a major concern for most businesses today, as failure to safeguard regulated data or intellectual property can cause a significant impact to business operations. It is therefore essential that penetration testers understand the business context of their level of access to systems, so that overly permissive access to sensitive data can be reported to their clients.

Identifying a severe privacy breach can help clients understand weaknesses in their data policies, and discrepancies between formalized policy documents and actual practices in their organization.