The process of shoring up company networks is becoming more complicated as security threats change and evolve. With this in mind, security specialists recommend placing more emphasis on penetration testing as a means of guarding against socially engineered attacks.
“In particular, we’re seeing real value in combining different kinds of penetration testing. Traditionally you have web application pen testing, network pen testing and wireless pen testing but we have seen a lot more value from not testing in silo, so to speak, but instead in combining the tests,” said Calum Mackenzie.
The goal of this combined testing methodology is to help guard companies against socially engineered threats. “In the past, these were kind of sidelined and were sometimes seen as an add-on by customers,but really this is the number one way bad guys break into organisations. Hackers are not that likely to come up with some super-duper new way to bypass a firewall or a previously unknown zero day exploit,” said Mackenzie.
“They’re much more likely to be successful in attacking your network if they rely on your users not really being clued up in terms of security. It is worth highlighting that as a security risk and so instead of just doing a network pen test, we prefer to talk to our customers about social engineering and why it is valuable to include that in your pen tests.”
According to Mackenzie, this is an important aspect of protecting a company’s business interests. “And re-ally that is what it is all about. It’s not about just doing a pen test and saying ‘section 1A is good, section A2 is bad’, it’s about looking at the end-to-end picture. Certainly if I had a business, I would want to hire someone to really attack my systems and find all and any weak points so they could be shored up,” he said.
“An attacker isn’t going to approach an organisation, try their web app and then go away – they will try everything and then pick the easiest way in. They don’t want to have to work hard – it’s not like in the movies. They want to find the easiest way in and if that is sending a phishing email to get a user to click on a link and install some malware without them knowing about it, then that is what they are going to do.”
Guarding against socially engineered attacks can’t be left to the end of a project. It needs to be integrated into any penetration testing from the beginning.
“Integrating the social engineering aspect and making it a more real-life test really opens people’s eyes and then it is no longer seen as an add-on exercise. It has been pushed more into the spotlight.”
This article is courtesy of The Sunday Business Post
