A Security Breach Can Happen To Anyone: Small or Large
Many in the cyber security industry are aware of the Equifax breach. It was one of the largest and most well- known data breaches to date, affecting 143 million personally identifiable information (PII) records of U.S. citizens. Perhaps the most alarming detail about this breach was that Equifax did indeed have a robust security program. Hackers were able to circumvent security controls by exploiting a vulnerability in the open source component, Apache Struts, which is an open source web application framework used to develop Java web applications. During that same year, WannaCry ransomware was released into the wild and there were a record breaking 14,000 vulnerabilities reported to US-CERT, according to CVE details1. In 2018, that number jumped to over 16,000. The lesson every organization should learn from this event is that a breach can happen to any business, small or large.
Developing security controls and implementing defense measures can help mitigate the risk of a cyber security threat. A primary component in the arsenal for a cyber defense strategy is to employ the services of a third-party security assessment firm. These firms have the capabilities to identify weaknesses within the security posture of an organization and recommend remediation steps. They will perform either a vulnerability assessment, which identifies weaknesses in hardware and software or a penetration test, which works to exploit those vulnerabilities. Annual penetration tests are critical in assessing the true security of internal and external systems.
The challenge with selecting services for a vulnerability assessment is that not all testing services are the same. Simply running a scan and generating a report of vulnerabilities existing in the environment can be produced; however, its relevancy may be questionable depending on the asset scanned and its risk factor to the organization. For example, an asset that is isolated from the production environment that does not contain relevant sensitive data may score lower on the priority list than an asset that is in the production environment and does have sensitive data. Therefore, vulnerability assessments need to have a human element, a trained and experienced security professional to review vulnerabilities and put them into context.
When Considering a Penetration Test, Understand Your Needs and Goals
When considering a penetration test, an organization should first look to itself to understand its basic needs. The scope of a penetration test can vary from firm to firm, yet all providers should focus on meeting the needs of the organization. For example, one goal may be to leverage social engineering to test the effectiveness of end user training and awareness. Another goal may be to see what data could be accessed if a breach were to occur. Other goals may include testing the effectiveness of other defense measures, such as the effectiveness of the patching policy, or the effectiveness of the SIEM solution and cyber security team. The overall goal of any penetration test is to learn where weaknesses reside against assets and implement recommendations for improvement.
When Considering a Penetration Test, Look for Qualities, Experiences and Unique Services
When considering a penetration test, an organization should also look for the qualities, experiences, and unique services provided by a security firm. Many security professionals are marked by designations such as the Certified Ethical Hacker (C|EH), or Certified Information Systems Security Professional (CISSP) certifications and are well-versed in other domains of IT such as advanced networking. Before committing to a penetration testing firm, seek a team bio of the people who would be working on your project and ask for a sample redacted report which contains vulnerabilities, weaknesses, remediation steps, and criticality of the risk.
Conclusion: Find Your Gaps First, Then Remediate
News of a breach being reported, regulatory authorities mandating edicts, and governments employing laws for change continue to drive business and IT leaders to think about cyber security. There are many tools to address potential security gaps, but organizations should first look to understand where their gaps reside, and how they can effectively remediate those gaps before acquiring possibly difficult to implement and difficult to manage security solutions. A penetration test can go a long way in helping an organization understand where its greatest risks lie and the measures that can be effectively employed to reduce those risks.
Resources