On the face of it, giving a team of highly skilled computer hackers carte blanche to attack your IT systems may not seem like the best of ideas- but that’s kind of what a penetration test (pentest) is – and it is not as crazy an idea as it may sound.
A pentest is a simulated attack on your IT systems, carried out by
‘White Hat’ hackers employing ‘Black Hat’ techniques to determine how
vulnerable every aspect of your business is to malicious attack. Encompassing anything and everything from
probing your company website to the physical security of your office building,
a pen test is a great way to find out if your business is at risk. No matter whether it’s IP, data, physical
assets or otherwise that is key to your business, you should take every
precaution to keep it safe.
So
what should you expect when you commission a pentest? You agree a scope with the testers, and
decide whether your test will be ‘white box’ (where the testers are provided
with certain specific information about your systems) or ‘black box’ (testers
have no prior knowledge of your systems), and then set them loose. When the test is complete you’ll receive a
comprehensive report of the weaknesses and vulnerabilities identified during
the test, and recommendations of how they can be mitigated or otherwise
neutralized.
A
well-scoped pentest will give you not only peace of mind that your
business is as secure as can be, but evidence of a penetration test (and more importantly,
the actions taken to secure your business as a result) can be key to attaining
compliance with industry standards, or to qualify your business for cyber
security insurance should it be a suitable fit.
Great.
So you should go ahead and get a pentest booked in, right?
Well,
not quite.
A
penetration test is certainly a great way to show that your business is not
only aware of the importance of security, but has taken steps to ensure that
your clients’ business is in safe hands.
But
first, you will want to have considered and squared away certain security
fundamentals before letting (albeit ‘good guy’) hackers loose on your
business. You wouldn’t spend good money
on state of the art alarm system for your office if you hadn’t first checked
you could close and lock the door- so here’s a few key security fundamentals
you should take care of, to make sure that when you are in a position to engage
a security team to simulate an attack against your business, you make them earn their money:
- Keep up to
date
– Make sure you have the policies and procedures in place to ensure your
servers and endpoints (all Desktop PCs, laptops, tablets and mobile phones) as well as all your applications are up to date.
Each time a vendor releases a patch for an operating system or a piece of
software it raises awareness of the vulnerabilities it fixes, so patch your
systems as soon as you can before the bad guys can take advantage. - Protect your
devices
– Deploy Endpoint protection in the form of Anti-virus and personal firewalls
to prevent and detect malicious activity on ALL your employees’ company
equipment. Remember, it can take only
one device connected to your network to be compromised for your whole business
to be exposed. - Identify and
secure your perimeter – It doesn’t matter if you host servers on
your premises or if you leverage the cloud for your back office systems,
identifying and securing the areas where your data is open to attack is the
responsibility of your business. If your
employees access emails on their phones, or if you have remote workers then you
must ensure that access and communication between your business and the outside
world is controlled, auditable and secure. - Stay
connected, safely– Communicating electronically and taking
advantage of the internet is a big part of any modern business, but also
presents one of the biggest risks. Email
gateways and Web filtering can help your business mitigate some of the most
common form of breaches and attacks seen today, preventing malicious emails
from reaching your employees and protecting them from compromised and
potentially harmful websites. - Educate your
employees–
Most important of all, educate your employees.
Set clear policies and procedures around not only security, but all business practices. This will establish a normal state of
operation to help employees identify anything out of the ordinary, and empower
them to flag up any activity or communications that look suspicious. Securing your business is the responsibility
of all your employees, so make sure they feel confident about being able to go
about their jobs safely and securely.
Whether you’re ready for your first pen-test, need help making sure you’ve done the right groundwork before getting started, or need any other security advice – get in touch.