Eighty-five percent of small businesses in the U. S. have been hacked. The important and sensitive information stored on their Information Technology (IT) systems has been stolen, changed, or made public. When a big company is hacked (e.g., Target, Home Depot, Sony), it’s all over the news, but it’s actually the smaller companies that are more at risk.
Small companies tend to dismiss the threat, thinking hacking is only a problem for large corporations or the finance industry. They don’t invest enough in security for their IT systems. If they have a data security specialist on board, the person’s responsibilities include a whole range of IT duties, and he or she can’t keep up with the latest malicious code or software patches. Some companies use whatever security resources they have on damage control rather than prevention. Hackers love this. They bank on the lax security in the systems of smaller companies. The “white hat” hackers (the good guys) perform penetration testing (“pen testing”) to make it difficult for the hackers to get into IT systems.
A pen test on a computer system, network, or Web application determines where the system is vulnerable to attacks. The test team gathers information about the system, attempts to break into it, identifies the primary routes into your system that hackers can take, and compiles a report on their findings. The vulnerabilities can exist in operating systems, service and application flaws, improper configurations, and the actions of end-users. Also tested is an organization’s security policy and its ability to identify and respond to breaks in security.
There are different types of pen testing. Target, external, and internal tests are on the lower end of the cost scale. They uncover weaknesses, but are limited in scope and time compared to the unlimited time (and apparently patience) that real hackers have.
- Targeted testing is a “lights turned on” approach. The organization’s IT team and the pen testing team collaborate, and they both see the test as it is being carried out.
- External testing is performed on visible servers or devices, including domain name servers, e-mail servers, Web servers or firewalls, to determine if and how attackers can get in and how far they can go once they’re inside.
- Internal testing is conducted behind a company’s firewall to determine how much damage can be done by an employee or contractor who has legitimate access to the system (if they get fired and their access has not been terminated, for instance).
Blind and double blind tests are more time-consuming and, therefore, more expensive.
- For a blind test, the testing team has very little information, just like real hackers. Sometimes the testers have no more than the company’s name to get them started on trying to break in.
- A double blind test carries the blind test one step further. Not only is the testing team given limited information, but only one or two people within the organization know a test is being conducted. While the team tests for vulnerabilities in the system, they are also monitoring how effectively the company identifies and responds to threats.
The question isn’t “Why does my company need a pen test?,” it’s “Why would you not have a pen test done?” Any company with an IT system cannot afford to continue operating without a pen test.
- Find out just how serious business operations would be affected in the event of an attack.
- After a security breach, determine the vectors (paths) the hacker used to gain access. A pen test can re-create the attack chain so that upgraded security controls will impede future attacks.
- Your security personnel get experience in detecting and responding to attacks as well as learn how to force out a hacker who gotten inside.
- Developers learn what mistakes to avoid in the future when they see how an attacker can break into an application. The expert and experienced pen test team finds vulnerabilities that the development team or security never even think to look for.
- The report generated by a pen test enables the company to prioritize future security investment. It also can be used to support proposals to upper management or investors to allocate additional funds for security personnel and technology.
Do not confuse pen testing with a “vulnerability scan” or “compliance audit.”
A vulnerability scan uses automated network- or application-scanning software. The value of a pen test lies in the skills and acuity of the team members conducting the test. The team may use automated tools, but the vital component is their expertise and experience. The most advanced automated test cannot compare to the human mind that thinks laterally and outside of the box and can analyze and synthesize.
Organizations, such as those that accept a particular volume of credit card transactions or that store Protected Health Information, must perform a compliance audit. An organization can be absolutely, completely compliant and still be vulnerable to attacks. Needing to comply is not the same as being genuinely concerned about intellectual property, the risk to that property and the possibly dire consequences to the people who will be affected by the breach.
If the goal is merely to comply rather than to analyze the threats to the system, a company is more prone to test with a less expensive automated service. Get that report, check that chore off the list, right? Let’s ignore for a moment the possibly devastating effects a compromise to the system will have on a company. In a purely selfish sense, if you go with an “economy class” test and the system is hacked, you’re going to have to justify your decision, and that’s not likely to go well for you.
The situation is not if, but when, your system will be hacked. You need to be able to detect, contain, and recover from the breach. Your security personnel need to know how to respond to a real incident.
Your first pen test record is likely to be an eye-opening experience. Your company is much more vulnerable to attack than you ever dreamed. All pen testings find vulnerabilities. No system is perfect and all security measures can be improved.