January 4, 2016
Securing Your Business Top to Bottom: Your Penetration Testing FAQs Answered
Do you feel that?
It’s the feeling that someone’s been snooping around in your office, your email account, or maybe someone’s been on the server downloading something. You’re not quite sure, but there’s that nagging voice in your head telling you something is just not right.
You know that voice, right? Of course you do. Here’s what it’s really trying to telling you.
Your Security Has a Gaping Hole
One of the reasons company servers get compromised is because of poor security practices. In many cases, the businesses didn’t even know they were vulnerable – you don’t know what you don’t know, right?
Almost all customized applications have security vulnerabilities and even websites that are built professionally have vulnerabilities. So, if you’ve built a company website, have customer-facing web or mobile applications, or you use a server for any aspect of your business, you probably have some kind of vulnerability and you should have a test performed.
What Is Pen Testing?
Penetration testing, or “pen testing” for short, is a way to simulate an attack against your network and applications without compromising your data or company’s operations. When you hire a company specializing in security analysis, an analyst will come to your site and perform a test. Sometimes, multiple tests are done.
These tests can be broken down into (roughly) two different types. First, there is external testing. This type of testing focuses on external threats like viruses, malware injections, and various types of hacking activity and denial-of-service attacks.
The second type of testing is internal testing. This is where a security analyst attempts to compromise your company’s systems from within. Phishing emails may be used as well as various types of social engineering.
Social engineering is the most sophisticated non-technical testing done because it doesn’t rely on computer or technology-based security. Instead, analysts attempt to exploit human psychology, bypassing the need for hacking or denial of service attacks.
For example, an analyst might try to enter a protected or restricted area by pretending to be an employee who forgot his or her security clearance (badge). Or, the tester may pose as an IT professional who needs access to a restricted area or is visiting the company to meet with management.
Sometimes, the social engineering exploits the inherent kindness individuals show to strangers. A tester might walk up to a security gate or door with two cups of coffee, and attempt to trick guards or other employees into opening secure gates or doors.
Often, the implication is that, because the tester has two of something (in this case, two cups of coffee), that the second cup is for someone inside the building. And, with two hands full, the tester needs help accessing the building or area.
A successful exploit means that the tester was able to capitalize on the sympathy or empathy of employees and allowed access to restricted areas even when this is not allowed.
Most penetration tests result in a test report. For example, a Sec-Tec penetrating testing report will show a company vulnerabilities from within as well as external vulnerabilities.
Beyond that, the report may also detail how to reduce the risk of such vulnerabilities or eliminate them. Since the report exposes all, or many, of a company’s weaknesses, this report should never be delivered through unsecured channels. Most reports are transmitted either over secure FTP or delivered in person.
Suggestions for closing vulnerabilities are often made a separate or ancillary service. However, your security analyst should at least make you aware that he or she can help you.
Do You Need A Pen Test?
Most businesses do need penetration testing. Anytime you upgrade computer systems connected to the internet or intranet, you should have your system retested. Also, any applications hosted on your servers should be tested.
What Should You Have Tested?
Applications, custom or “off the shelf,” should be tested for vulnerabilities. Servers and networks are another candidate. Finally, actual machines (laptops, desktops, mobile devices) should be tested.
In most instances, the server and network are going to be a top priority because devices that connect to the network can be “sandboxed” if there is a problem with them. That’s not to say these devices are unimportant, but most businesses tend to believe that network security is of primary importance.
Next, you should focus on applications, both native and web-based. Customer-facing applications can be especially vulnerable to attack. And, if those applications collect, and your server stores, personal data (health, financial, etc.), then you need to have extensive testing done on those applications.
Lewis Spencer is an IT consultant who helps small-medium businesses with cyber security. He wants to bring greater awareness to the best practises and explain in simple terms to less knowledgeable business owners what needs to be done. His articles have been published on a range of business blogs.