Penetration Testing

A recent survey estimated the cost of cybercrime in the UK to be UK£27bn per annum. Worldwide the cost of cyber attacks is estimated at being between US$169bn and US$226bn per year.

A recent survey estimated the cost of cybercrime in the UK to be UK£27bn per annum. Worldwide the cost of cyber attacks is estimated at being between US$169bn and US$226bn per year.

This is a real issue, and not just one for the well publicised attacks on major corporations such as Sony, Lockheed, Google, and Citi. It affects every business and organisation, large and small. More worrying still, it is now widely suggested that hackers and espionage organisations are moving away from directly attacking their target company, choosing instead to route their attack through suppliers to their target. Thus, even small and seemingly innocuous “third party” businesses who would not consider themselves as potential targets are now on the front line of this cyber war.

Even at the every day “just trying to get by” level of small and medium sized businesses the risks are ever present and increasingly can have a major impact on the viability of a business.

Just ask yourself:

  • Could an unauthorised person gain access to your IT system and obtain sensitive information, or could that person, having gained access, cause disruption or damage to your system?
  • Are any links from your IT system to the outside world protected from attack?
  • If you use wireless communications either within the building or more widely, how secure is it?
  • How secure are your servers from external attack?
  • Can staff who have legitimate access to use the IT system gain access to sensitive areas?
  • Are your applications secure, both inside and out?
  • What about lap tops, note books, PDAs, Tablets, etc etc – just how secure are they?
  • What training and awareness do your staff have for protecting your sensitive data (could they download all of your sensitive information onto CDs/USB devices and then lose it (the UK Inland Revenue last over 20 million records by doing just this in 2009).

The saying, “prevention is better than cure,” is highly appropriate when discussing this subject, and is certainly better than another paraphrased saying, “closing the stable door after the horse has bolted.”

So what can be done?
Good management, clear lines of responsibility, suitable password control for internal access, and suitable security measures, both internal and external, all have a part to play. So too does regular checking of the system from a security point of view: otherwise known as security penetration testing.

There are many companies offering penetration testing services and the standard and range of coverage varies considerably. If you were asking someone to check the security arrangement for your building you would check them out first to ensure they were properly qualified to do the job, were trustworthy and reliable, had the right tools, and would provide sound advice: all qualities you should seek from a security penetration testing company. The key to expert penetration testing is the interpretation of the data output from the custom and automated tools. The value is in the translation and clear presentation of that critical information to the business and client.

So when evaluating a company to carry out your security penetration testing, consider the following:

  • Staff should be qualified and experienced in carrying out security penetration testing work.
  • Tools will be bespoke to the task, not just a standard automated test tools that generate reams of data but provide no intelligent function.
  • Where the first level of testing identifies potential vulnerabilities fuzzing with proven test cases should be carried out to cover the OWASP Top 10 vulnerabilities.
  • All results generated by test tools should be manually verified to help identify false positives.
  • The final report should not be a simple print-out of data: it should succinctly and quickly identify potential vulnerabilities and comment on remedial action that can be taken to eliminate or reduce each vulnerability. 

If you are in charge of a business or organisation you will ensure the doors and windows are locked every day when people go home, not just once in a while. The same principle applies to security penetration testing: for it to be effective it needs to be done on a regular basis. Regular will mean different things to different organisations: organisations that handle money in any form, or have highly sensitive data should be thinking of monthly security penetration tests, whereas a small business might reasonably justify six monthly checks as appropriate. The key is to make a risk assessment of your IT system/s and then be realistic in judging how often the checks are required.

After all, you would not sanction the doors and windows being checked once a year so why take a different attitude to the very data that could bring your business down if it were stolen or lost?