Current Filter: >>>>>>

   

"At Databarracks, we find ourselves in an interesting position regarding pen tests [penetration testing], because we bring in expert third parties to test us. But, additionally, our customers who use our services want to bring in their own pen testers to check that our services are secure enough for them."

So says Oscar Arean, the company's technical operation manager, who recognises only too well that, as cloud adoption has risen, compliance has become an increasingly important issue. "It's much more common for businesses to require their service providers to be accredited to various security standards, proving their ability to adequately protect sensitive data. Penetration testing is a reliable way to test and validate your provider's security best practices. As an ISO 27001 certificated cloud provider, we are required to regularly carry out pen tests on our environment," he explains.

Pen testing replicates the actions of a malicious hacker, finding and exploiting vulnerabilities, be they internal or external, human or operational. These white-hat hackers use various methods to dig deep into systems to identify security weak spots, reporting on them before a malicious hacker can get there first. "We understand the amount of trust cloud services require and so we're always more than happy for our customers to bring in their own third parties to test our environment. This would definitely be our recommendation to any businesses using cloud services: don't be afraid to perform your own tests on potential providers - just as you would on your own systems," states Arean.

THE TESTING PROCESS
Do your research before hiring an external penetration tester, is his advice. "Ask questions about their preferred methodologies, experience and qualifications - not every tester will be suited to your needs. Decide carefully when to schedule your pen test, and how long for. Certain tests, like DDoS (Distributed Denial of Service), require a network to be flooded with unusually high volumes of traffic, which can cause certain systems to crash. Careful planning with your testers can help to avoid any major disruption to your organisation.

"Also decide how much information you're willing to give away. By forewarning your staff of a scheduled penetration test you risk damaging its reliability, as their behaviour is bound to change as a result." To get the most out of your testing, you need to act on your results. "Once you have devised an action plan to counteract any weak spots you've identified, this plan should be communicated throughout the business. You can't expect your team to change how they work, if they're not aware of the very real affect their behaviour has on the overall security of data," he points out.

Finally, says Arean, don't be afraid to question your pen tester's credibility by making sure they are certificated to the appropriate standards. "This was really important for us as a business. We chose to use a company called Security Alliance, because they are ISO 9001, 27001 and CREST certificated - which are details that are important to us and a lot of our customers."

TARGETING PEOPLE
It was Bruce Schneier who famously remarked back in 2002: "Amateurs hack systems, professionals hack people." How right he's turned out to be, states Graham Mann, managing director and group chief marketing officer, Encode UK. Spear phishing front ended Advanced Persistent Threat (APT) attacks are now the MO of choice for the 'professional' hacker, he points out - and the picture is not an encouraging one. "It's been reported that, in 90% of cases, the means of infection is spear phishing. This isn't to say that 'traditional' hacking methods aren't being employed, but the trend is clearly moving in the direction of attacks against the human gatekeeper."

So logic would dictate we'd be seeing a concerted move towards blended spear phishing/APT based attack testing but we aren't. Why? "It's certainly true that, in recent years, spear phishing awareness vendors, like PhishMe, Wombat etc have seen a rapid increase in business," he accepts. "Although these solutions clearly have a place, it only requires one person within an organisation to open an attachment. Employees need to be extremely diligent to detect a spear phishing email. Our own experience is that only a handful of spear phishing emails are required, in order to establish a position on an organisation's network."

The proliferation of incident response services indicates the extent of organisations subject to attack, he adds. "Incident response is, by its very nature, reactive. In most cases, had these organisations performed a simulated cyber attack on their network, they would have identified deficiencies in their security infrastructure, leading to an attacker gaining a foothold. In addition, simulated attacks would have identified a need for additional sensors to detect activity in the early stages of an attack and whether the defence capability was sufficiently robust enough to obfuscate the attack."

Mann lays out the case for simulated cyber attacks and the means of infection. "Few companies realise the extent of their footprint on the Internet, specifically the details of their employee's activities, emails etc. This information is gathered as part of the initial phase of the attack and provides the organisation with a report on their Internet footprint, such as which employees have a position on the Internet, and what personal and corporate information is available on these employees." The second phase of the first stage is the creation of the emails. This provides the organisation with a taster of how vulnerable they are to spear phishing attacks.

"Unlike other forms of attack focused at either a web application or firewall, this method doesn't rely on the need for vulnerabilities. Furthermore, once the attacker has established a foothold in the victim's network, it is very difficult to eradicate the RAT(s) [Remote Access Technology]. Moreover, it's been our experience over almost nine years that no organisation has been able to identify the infection or escalation; hugely worrying and perhaps explains why such attacks go undetected," he adds. A simulated APT attack determines whether the organisation can detect this type of attack, essential for defence. Post simulated attack, the organisation can see how the escalation took place and what procedures, processes and policies need addressing.

Page   1  2  3  4