June 2016
Digital security today involves multiple elements, from anti-malware and firewall technology to email and attachment filtering to strong encryption. But in addition to investing in the appropriate technology to take all such precautions, any organisation has to test and assess its potential vulnerability. Like everything else in security, it should be done regularly and thoroughly.
Another key factor, all too often overlooked, is that the investment in security and its management should reflect the value and the likely targeting of the organisation and its assets. That extends from simple anti-malware software installation and regular patching to a full internal security department and the engagement of expert external consultants. Financial businesses are obvious targets but in fact any organisation dealing with online payments can be hit, both for direct money swindling and for access to their customers’ bank and card accounts and other data.
So any business has to assess its position and review its potential vulnerability. Larger organisations with public visibility need to do that formally and intensively, as does any online business. They also need penetration testing. This is where experts perform targeted attacks, simulating what could happen in the real and criminal world. We utilise the experience and technical skills of our team—and a good deal of ingenuity—to test networks, servers and security systems.
The point is that vulnerability scans may find weaknesses that could be exploited. But a penetration test goes all the way to the potential risk and demonstrates what actually could happen—staff authorisation credentials stolen, illicit money transfers, identity theft, customer credit card data or personal information exposed. With the advance consent of the client, we can even go so far as to commit a sample breach as part of the test. The objective is always to find any potential business risk for the client so that the proper action can be taken.
When we talk to clients about penetration testing it is somewhat scary how many of them do not really grasp that having a strong perimeter does not make them secure. The internal network and the user-based elements of the security ecosystem are more often than not overlooked, which is frightening as this is what the attackers are leveraging to get in. Phishing and malware drops through the web and email are all too common examples that enable attackers to work from the inside out. A backdoor created connecting out to the attacker will completely bypass most perimeter defences.
Usually in penetration testing the client assists with some level of briefing on its systems, business processes, authorisation protocols, etc. The less transparent the client is about their network, the more effort is required at the reconnaissance stage. A typical professional penetration test involves about five or six days’ work by an expert, depending on scope, so adding unnecessary pieces to the puzzle is potentially a waste of resources.
How often should testing take place? Clearly, that is a client decision but in general we would suggest at least quarterly for overall vulnerability scanning and at least annually for full penetration testing. One key point is that vulnerabilities should be re-assessed after any significant systems changes or additions, either in infrastructure or at an applications and communications level.
Penetration testing takes vulnerability management one step further, important for many types of organisation, to establish as far as possible the degree of business risk. Board directors today have serious fiduciary responsibilities, so this is yet another area they should take very seriously.
Calum Mackenzie, Security Consultant, Integrity360