From a macro point of view, 2017 was a rough year when it comes to cybersecurity. As spring turned into summer last year, we watched the WannaCry and NotPetya malware viruses implement global infestation, creating lost productivity that negatively affected both quarterly earnings and stock prices, costing some companies billions. The massive Equifax breach in the fall compromised the data of nearly one-half of the U.S. population in some way as 2017 saw a 20% increase in data breaches. The fact is that the volume and magnitude of cyberattacks is growing year over year.
Your company may be utilizing multi-layer security strategies according to best practices. You may be diligent in your practice of patching and updating all of the components and devices within your enterprise. You may have integrated a top-down cybersecurity mentality that reinforces your human firewall of users that are both trained and alert. Yes, there is a “but,” and the “but” is that you will never know how effective your deployed security architecture is until you subject it to a simulated attack from an actual hacker.
This is the purpose of pen testing or penetration test. If you have not conducted one, the start of the New Year is the perfect time to start. Below are eight things to consider when implementing a pen test of your network.
- Know what a pen test is
A pen test is different from a vulnerability assessment. A vulnerability assessment is performed by using a standard software package such as Nessus to scan the public IP addresses of your enterprise. These automated scanners use a list of known vulnerabilities and comprise the collected results into an automated graphical report summary. An assessment simply shows your known vulnerabilities. A Pen test provides the opportunity to find how a real person can exploit vulnerabilities in your network. They can help determine the effectiveness of your defense mechanisms and ascertain end-user adherence to security policies. In essence, a vulnerability assessment shows you the rabbit holes. A pen test shows just how far down the rabbit hole a threat can go and the damage that can result.
- Implement white-box testing
While it is true that the person conducting the pen test is emulating the efforts of an outside attacker, you cannot maximize the value of a pen test without providing some information and direction. Black box testing refers to instances in which the attacker has no knowledge of the targeted system. The fact is however, hackers often research their targets too. Working collaboratively in a white-box scenario will allow you to ensure that the tester focuses on significant issues that may exist. You can also request possible “what-if” scenarios tested that may concern you.
- Test inside and out
One often only thinks of implementing penetration tests from outside of the network, but a comprehensive test will include testing from the inside as well. This is because hackers utilize phishing and malware attacks to take control of privileged accounts or implant root kits within your network. Once a privileged account has been seized, an attacker can then maneuver throughout the confines of your network uninhibited in order to locate high value internal resources. Do not limit the scope of your testing to just the outside looking in.
- It’s not a once a year endeavor
Many IT managers look at a penetration test similarly to a yearly checkup with the doctor. Those companies who must adhere to PCI and other regulatory compliancy are required to conduct a pen test at least once a year. However, due to the growing complexity of networks today and the perpetual introduction of new updates, software implementations and virtual technology, once a year just does not cut it anymore. What’s more, hackers are always changing their attack strategies. Companies should employ periodic testing throughout the year, especially after any major deployment or change within the network.
- Test more than just open ports
We often equate pen testing with port testing. While probing ports is still important, a thorough pen test should test other components such as credential encryption, error message and email filter testing.
- Web application testing
Your external facing web applications are almost a separate complex entity within your network. For many companies today, their web applications are the heart and soul of their business. Testing the effectiveness of your web application firewalls is mandatory today. Make sure that the team conducting the test is familiar with the OWASP published security risks.
- Don’t ignore IoT
Gartner predicts that IoT devices will reach 20.4 billion worldwide by 2020. IoT is expected to gain a ubiquitous presence in several industries such as healthcare this year. Unfortunately, IoT devices are a hot target for hackers as they are usually the weak link in your security chain.
- Make sure the tester provides remediation options
As mentioned, many vulnerability assessment summaries include automated generic information based on the presence of a select vulnerability. Make sure that the individual or team performing the test will be providing customized remediation solutions based on the exploits discovered.