Penetration Testing

A recent survey estimated the cost of cybercrime in the UK to be UK£27bn per annum. Worldwide the cost of cyber attacks is estimated at being between US$169bn and US$226bn per year.

A recent survey estimated the cost of cybercrime in the UK to be UK£27bn per annum. Worldwide the cost of cyber attacks is estimated at being between US$169bn and US$226bn per year.

This is a real issue, and not just one for the well publicised attacks on major corporations such as Sony, Lockheed, Google, and Citi. It affects every business and organisation, large and small. More worrying still, it is now widely suggested that hackers and espionage organisations are moving away from directly attacking their target company, choosing instead to route their attack through suppliers to their target. Thus, even small and seemingly innocuous “third party” businesses who would not consider themselves as potential targets are now on the front line of this cyber war.

Even at the every day “just trying to get by” level of small and medium sized businesses the risks are ever present and increasingly can have a major impact on the viability of a business.

Just ask yourself:

  • Could an unauthorised person gain access to your IT system and obtain sensitive information, or could that person, having gained access, cause disruption or damage to your system?
  • Are any links from your IT system to the outside world protected from attack?
  • If you use wireless communications either within the building or more widely, how secure is it?
  • How secure are your servers from external attack?
  • Can staff who have legitimate access to use the IT system gain access to sensitive areas?
  • Are your applications secure, both inside and out?
  • What about lap tops, note books, PDAs, Tablets, etc etc – just how secure are they?
  • What training and awareness do your staff have for protecting your sensitive data (could they download all of your sensitive information onto CDs/USB devices and then lose it (the UK Inland Revenue last over 20 million records by doing just this in 2009).

The saying, “prevention is better than cure,” is highly appropriate when discussing this subject, and is certainly better than another paraphrased saying, “closing the stable door after the horse has bolted.”

So what can be done?
Good management, clear lines of responsibility, suitable password control for internal access, and suitable security measures, both internal and external, all have a part to play. So too does regular checking of the system from a security point of view: otherwise known as security penetration testing.

There are many companies offering penetration testing services and the standard and range of coverage varies considerably. If you were asking someone to check the security arrangement for your building you would check them out first to ensure they were properly qualified to do the job, were trustworthy and reliable, had the right tools, and would provide sound advice: all qualities you should seek from a security penetration testing company. The key to expert penetration testing is the interpretation of the data output from the custom and automated tools. The value is in the translation and clear presentation of that critical information to the business and client.

So when evaluating a company to carry out your security penetration testing, consider the following:

  • Staff should be qualified and experienced in carrying out security penetration testing work.
  • Tools will be bespoke to the task, not just a standard automated test tools that generate reams of data but provide no intelligent function.
  • Where the first level of testing identifies potential vulnerabilities fuzzing with proven test cases should be carried out to cover the OWASP Top 10 vulnerabilities.
  • All results generated by test tools should be manually verified to help identify false positives.
  • The final report should not be a simple print-out of data: it should succinctly and quickly identify potential vulnerabilities and comment on remedial action that can be taken to eliminate or reduce each vulnerability. 

If you are in charge of a business or organisation you will ensure the doors and windows are locked every day when people go home, not just once in a while. The same principle applies to security penetration testing: for it to be effective it needs to be done on a regular basis. Regular will mean different things to different organisations: organisations that handle money in any form, or have highly sensitive data should be thinking of monthly security penetration tests, whereas a small business might reasonably justify six monthly checks as appropriate. The key is to make a risk assessment of your IT system/s and then be realistic in judging how often the checks are required.

After all, you would not sanction the doors and windows being checked once a year so why take a different attitude to the very data that could bring your business down if it were stolen or lost?


Join the CSO newsletter!

Error: Please check your email address.

Tags Penetration testingOpen Web Application Security Project (OWASP)FeaturessecurityOWASPpassword controlcybercrimeUKnetwork securityexploits and vulnerabilities

More about GoogleInland RevenueSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Malcolm Higgins

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts