| |||||||||
| |||||||||
Current Filter: >>>>>> Why the Pen can be mightier than the sword Editorial Type: Industry Focus Date: 03-2014 Views: 4718 Key Topics: Security Penatration Testing Cybercrime Advanced Persistent Threat Hacking DDoS Key Companies: Databarracks Encode UK. First Base Technologies MTI Technology HP Enterprise Security Services Key Products: Key Industries: | |||
| Penetration ('pen') testing is the practice of attacking your systems and network to seek out any vulnerabilities that others might try to exploit. It could save you and your customers from the hackers and attackers out there "At Databarracks, we find ourselves in an interesting position regarding pen tests [penetration testing], because we bring in expert third parties to test us. But, additionally, our customers who use our services want to bring in their own pen testers to check that our services are secure enough for them." So says Oscar Arean, the company's technical operation manager, who recognises only too well that, as cloud adoption has risen, compliance has become an increasingly important issue. "It's much more common for businesses to require their service providers to be accredited to various security standards, proving their ability to adequately protect sensitive data. Penetration testing is a reliable way to test and validate your provider's security best practices. As an ISO 27001 certificated cloud provider, we are required to regularly carry out pen tests on our environment," he explains. Pen testing replicates the actions of a malicious hacker, finding and exploiting vulnerabilities, be they internal or external, human or operational. These white-hat hackers use various methods to dig deep into systems to identify security weak spots, reporting on them before a malicious hacker can get there first. "We understand the amount of trust cloud services require and so we're always more than happy for our customers to bring in their own third parties to test our environment. This would definitely be our recommendation to any businesses using cloud services: don't be afraid to perform your own tests on potential providers - just as you would on your own systems," states Arean.
THE TESTING PROCESS "Also decide how much information you're willing to give away. By forewarning your staff of a scheduled penetration test you risk damaging its reliability, as their behaviour is bound to change as a result." To get the most out of your testing, you need to act on your results. "Once you have devised an action plan to counteract any weak spots you've identified, this plan should be communicated throughout the business. You can't expect your team to change how they work, if they're not aware of the very real affect their behaviour has on the overall security of data," he points out. Finally, says Arean, don't be afraid to question your pen tester's credibility by making sure they are certificated to the appropriate standards. "This was really important for us as a business. We chose to use a company called Security Alliance, because they are ISO 9001, 27001 and CREST certificated - which are details that are important to us and a lot of our customers."
TARGETING PEOPLE So logic would dictate we'd be seeing a concerted move towards blended spear phishing/APT based attack testing but we aren't. Why? "It's certainly true that, in recent years, spear phishing awareness vendors, like PhishMe, Wombat etc have seen a rapid increase in business," he accepts. "Although these solutions clearly have a place, it only requires one person within an organisation to open an attachment. Employees need to be extremely diligent to detect a spear phishing email. Our own experience is that only a handful of spear phishing emails are required, in order to establish a position on an organisation's network." The proliferation of incident response services indicates the extent of organisations subject to attack, he adds. "Incident response is, by its very nature, reactive. In most cases, had these organisations performed a simulated cyber attack on their network, they would have identified deficiencies in their security infrastructure, leading to an attacker gaining a foothold. In addition, simulated attacks would have identified a need for additional sensors to detect activity in the early stages of an attack and whether the defence capability was sufficiently robust enough to obfuscate the attack." Mann lays out the case for simulated cyber attacks and the means of infection. "Few companies realise the extent of their footprint on the Internet, specifically the details of their employee's activities, emails etc. This information is gathered as part of the initial phase of the attack and provides the organisation with a report on their Internet footprint, such as which employees have a position on the Internet, and what personal and corporate information is available on these employees." The second phase of the first stage is the creation of the emails. This provides the organisation with a taster of how vulnerable they are to spear phishing attacks. "Unlike other forms of attack focused at either a web application or firewall, this method doesn't rely on the need for vulnerabilities. Furthermore, once the attacker has established a foothold in the victim's network, it is very difficult to eradicate the RAT(s) [Remote Access Technology]. Moreover, it's been our experience over almost nine years that no organisation has been able to identify the infection or escalation; hugely worrying and perhaps explains why such attacks go undetected," he adds. A simulated APT attack determines whether the organisation can detect this type of attack, essential for defence. Post simulated attack, the organisation can see how the escalation took place and what procedures, processes and policies need addressing.
| ||
Like this article? Click here to get the Newsletter and Magazine Free! | |||
Email The Editor! OR Forward Article | Go Top | ||
PREVIOUS | NEXT |