Why penetration testing is so important
With the recent enactment of Australia’s data breach notification laws, there’s no better time to prioritise cyber security. Failure to notify customers and the public of data breaches could cost corporations up to $1.8 million in fines. There are, however, even better reasons to make security a frequent topic of discussion in the boardroom.
Consider everything that’s stored in your company’s hardware and software. Would your data be of use to competitors? Would your company survive if sensitive information were taken hostage by a cyber criminal and held for ransom? Would a cyber attack bring to light facts that could damage your professional reputation? Could you continue to do business if your website were paralysed?
Cyber attacks are getting more and more complex, so you need all the help you can get. It’s no longer enough to put security tools in place and cross your fingers. Lax practices and human error can expose even the most sophisticated systems to breaches. Unless an attacker brags publicly about his crime, a breach can go undetected for months.
The best way to be proactive against the threat of a cyber attack is to invest in penetration testing. No security system is guaranteed to be impenetrable, but yours should be daunting enough to send hackers scrambling for an easier target.
Why you need penetration testing
Penetration testing, also called pen testing, looks deeply into your business to see how vulnerable it is to hackers. It goes far beyond ordinary security assessments or compliance audits. Here are some of the ways that pen testing stands apart:
- It doesn’t merely expose weaknesses; it simulates real-world attacks to show how your sensitive data, business systems, financial assets and employees would fare in the event of the real thing.
- It tests your system’s ability to detect breaches, whether internal or external, when they occur.
- Although some functions may be automated, pen testing relies heavily on skilled, experienced professionals who are able to analyse systems in the same way that hackers would. Many, in fact, are certified ethical hackers. It takes one to know one.
- Cyber criminals rarely target individual security tools. Instead, they look for gaps between tools that don’t work especially well together. An in-depth pen test uncovers these gaps.
- It is completely unbiased. Sometimes, a fresh set of eyes reveals vulnerabilities that were overlooked.
- It ensures that your company is in full compliance with the new data breach notification law.
How it works
Pen testers, using both software applications and manual methods, start by doing a little reconnaissance. They gather information about your business, from the perspective of it being the potential target of a hacker. They then identify vulnerable entry points. Finally, they attempt to break into your system, and they report back to you how successful they were. Remember that pen testers are the good guys. These type of attacks, sometimes called “white-hat” attacks, are highly educational.
After a thorough discussion of your needs and concerns, the testers will decide on the best approach, which could include any or a combination of the following:
- In targeted testing, your information technology team and the pen testers work together to conduct experiments and analyse the results.
- In external testing, attempts are made to hack into visible entities such as web servers, email servers and domain name servers. The goal is to find out if these entities are prone to external attacks. External tests also reveal how deeply a hacker could penetrate your system after gaining access to it.
- The objective of internal testing is to find gaps behind your firewall. Testers are given the same authorisation and levels of access that employees have. If there are weaknesses that would allow unauthorised access to data, this test will expose them. Compromised or disgruntled individuals within a company are just as dangerous as external hackers.
- Some businesses request blind testing. This strategy forces pen testers to proceed with very little information about the company they are testing. For example, they might be provided with only the company’s name. The more information that they can unearth about the company, the greater its security risks.
- Double-blind testing is even more exhaustive. With the exception of one or two individuals, no one is told that a test is being conducted. This type of test has the most unbiased results, so it’s highly useful for evaluating security awareness and response protocols.
Putting test results to good use
You may find that your security policies and procedures are in dire need of streamlining or a complete overhaul. Have you identified the role that each staff member would play in the event of an emergency? Have you established channels of communication and a chain of command? Do your employees have the appropriate level of security awareness? Pen testing highlights areas in which improvement is needed.
Analysing pen test results will help your IT staff address your risks in order of importance. Results will also indicate how quickly and efficiently your IT team could respond to an attack.
You can also find out just how cost-effective your security tools are. State-of-the-art security tools are outrageously expensive. Pen testing will help you determine each security tool’s value. If you’re not getting a bang for your buck, you’ll find out in short order. Testers can also advise you about good tools that just need a little bolstering.
How often pen tests should be conducted
This depends on how attractive your business is to hackers, but ongoing testing is the most effective. Frequent updates and patches may address existing vulnerabilities, but they also introduce new ones. Every time you deploy a new app, modify your infrastructure or introduce a new cloud service, you’re inviting security issues that even your brightest IT employee might overlook.
A single hacker could put you out of commission for an hour or put you out of business for good. With so much at stake, it makes good business sense to invest in ongoing penetration testing.
Regular penetration testing is something we can help you with. Here’s more information on Stickman Consulting’s penetration testing services. And if you’d just like to know more, or need clarification of any sort, contact us here with any questions.