By: Chris Clements, VP of Solutions Architecture, Cerberus Security
What Does It Mean to Feel Safe & Secure?
In your home, leaving the front door unlocked might be cause for concern depending on any number of factors. For most people, locking the front door represents an essential security measure for a specific kind of threat – protection from unwanted visitors. In actuality, a myriad of security concerns exist in your home in addition to locking the front door, as that represents only one type of threat, by a very specific kind of actor.
What risks might you not even know how to look for or protect against? Even more than your home as a metaphor, your entire IT estate has entry points you may not have considered – even as an IT professional. Yet, many people conduct penetration testing only on specific parts of their environment, not the entire estate. At best, this will yield limited information. In many cases, it paints a much rosier picture of your security posture than is reality. It’s like hiring a home inspector but telling him he can only look at the house’s exterior. You are likely missing significantly important things.
Protecting the “Pearls” & Everything Else in Your IT Environment
Your IT environment is the home for your business operations, but there’s greater nuance and complexity to securing this type of environment. In fact, to dive deeper into the aforementioned scenario, there are more than a few vulnerabilities to the safety of your home.
Depending on what you are trying to protect, there are more than a few ways to safeguard and monitor your home. Smoke alarms, radon detectors, latches on the windows – maybe even a few mouse traps? Does your roof leak? Is the foundation rotting?
An IT environment is a complex ecosystem made of people, software, and hardware. Securing this ecosystem means knowing not only how to lock the ‘front door’ but more importantly, how to prepare to understand vulnerabilities of which you may not be aware.
Penetration Testing to Understand Risk
When looking for vulnerabilities in an IT environment, validating only that the “front door is locked” when the goal is to secure the entire infrastructure of your business means you must (intentionally or unintentionally) ignore every other security aspect of your business.
Penetration testing is an exercise to demonstrate risk, simulate a malicious attack, and gain an enhanced knowledge of a specific IT environment. This means breaking passwords, scanning ports, and maybe, conducting a purple team test to see if you are able to detect when someone’s in your “house” – going through drawers, looking through your diary, and putting grandma’s pearls in their pockets.
Penetration testing demonstrates real world risk to an organization by making use of dedicated security experts who actively attempt to gain access to non-public data or control over systems and networks, i.e. the home of your business.
As a method for gaining assurance in the security of an IT system, pen testing (or ethical hacking as it is known) attempts to breach some or all of a system’s security, using the same tools and techniques that a malicious actor might employ.
Pen testing across a variety of technological contexts in your company’s IT environment might identify a threat or potential threats that leave an opening into your network. For example, a zero-day threat requires patching, but until this vulnerability is identified and mitigated, hackers can maliciously exploit it to negatively impact programs, seize institutional data, and compromise computers or a network. A misconfiguration can easily expose you, allowing an attacker to take over your IT environment.
Know What You Don’t Know: Find and Secure Vulnerabilities Before Attackers Exploit Them
Modern cyber-threats are increasingly coordinated and sophisticated events designed to disrupt, corrupt, and potentially destroy the home of your business. Protecting your network means making use of state-of-the-art diagnostic tools to reveal – through the lens of a hacker – how a malicious attack could take place.
Ethical hacking presents itself as a path toward continuous improvement in your business organization. A deep pen test or ethical hacking exercise can not only detect vulnerabilities, it can help determine appropriate response strategies. As a result, pen testing can be used for recon to prevent cyberattacks and security breaches by lawfully hacking into systems and identifying areas of weakness.
A broad spectrum of diagnostic detection capabilities will ensure that the sanctity of your IT environment remains intact. Penetration tests might include:
- General Network & Application
- Web Application Deep Dive
- Mobile Application Deep Dive
- Medical Devices
- Social Engineering
- Wireless (Wi-Fi)
- Physical Infrastructure (Buildings)
- Scenario Based / Capture the Flag
It’s also best to keep in mind: vulnerability scans look for known vulnerabilities in your IT environment and can reveal potential exposures, while penetration tests are a “hands-on”, intensive exploration of your network designed to actually exploit weakness in the fundamental architecture of your IT environment to demonstrate risk. Focusing too much on one area of your IT environment may produce fundamental weakness in the stability of your IT ecosystem. There are more access points and considerations than just the front door. A pen test offers a clear qualitative picture of how much damage a malicious attacker can do with unauthorized access to your assets.