THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Vulnerability v. Insecurity When you look at conducting a pen test, you want to make sure that you are using a reputable firm such as; @Trustwave or @Rapid7. These firms will provide your organization the most robust testing available with the use of both an automated vulnerability-scanning engine. Then following that up with hands on penetration testing professionals who will try to exploit those vulnerabilities. Not Just a Vulnerability The testing should not only focus on the identified vulnerabilities that an automated scanner has picked up, but it should look for ways another motivated attacker would exploit them. Not having a human in the loop leaves out an important factor in the testing, the human factor. (The ability for the potential attacker to think outside the box can’t be underestimated). Having a living breathing person behind the keyboard will ensure that the test looks more like an actual attack on your network and not just a vulnerability, but also the deeper aspect of how to manipulate that in order to get access to those secured systems. Being able to take advantage of multiple vulnerabilities at the same time or the ability to string together various types of threats can keep the testing realistic. Testing against an automated system can provide you a quick look into all of the various areas that you will have to address during the remediation efforts, but it should not be who you prepare your resources against in order to thwart an attack. Having a person as part of that equation will allow you to face the unpredictable behaviors that are inherent to having a person in the loop. "Having a person as part of that equation will allow you to face the unpredictable behaviors that are inherent to having a person in the loop." Need for Testing While an organization will have, several reasons that they may want to conduct a pen test of their networked environment. The biggest reasons will be for compliance with a regulatory requirement such as HIPPA or PCI DSS. While these regulations may be the initial drivers, they should not be the only reason that a company wants to conduct the testing. Whether the business is providing services, or other specialized data processing or storage of information. The need for using pen-testing services is growing because the threats to our business is growing as well. Attackers are becoming more blatant and daring in the types and the scopes of the attacks that they are willing to carry out. Whatever the reason for the attack on a network, it is important to remember that you can take steps to prevent them access to your network. You are not going to deter everyone, and if a motivated attacker wants in, they will find a way to get in. Testing Time
Setting up the testing is one of the most frustrating aspects of the whole process in that you may have to decide what days or times work best for your organization. Whether you are testing at night with teams that are located overseas, or with ones located in your home country. It is important that you communicate to them the following:
Test Results Communicating the test results may be one of the most important aspects of the whole process. The result must be communicated effectively and in a manner that your team and stakeholders will understand. Your results may vary from one testing firm to another, but they should contain most, if not all of the following information:
Follow-up Testing The follow-up testing may happen after the remediation efforts have been completed. This testing is to make sure that they patches or updates have been employed properly. There may be times where the patch or vulnerability solution opens up additional vulnerabilities that we not discovered during the initial testing time frame. Risks abound in the field of IT Security, and they take on many forms. Whether it is a vulnerability or a known threat, the pen testing that is conducted against your network will be able to find those issues and provide you a way to address them. Conducting additional testing will allow you to determine the effectiveness of your remediation efforts. In order to address a possible threat, patches or updates should be deployed and installed properly. Failure to do so will expose you to the very same risk that was identified during the testing. Summary While some organizations will look at the employment of a penetration testing team to be a fruitless endeavor or a waste of time and money. This has proven to be far from the case when it comes to protecting our networks. The idea of what would happen to the organization if an attacker were to compromise the network should drive you into looking for a competent testing team. How much would a potential breach cost your company? How much does your reputation cost? If you are like most businesses, this what you are relying on when it comes to building your business. Additionally, organizations are coming under more and more scrutiny and compliance requirements. These requirements are increasingly looking for ways to ensure that the business networks are more secure than they have been in the recent past. That requires more enforcement and greater controls that address the potential for threats against a computer network. Comments are closed.
|
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|