You May Not Think You Need a Security Penetration Test – But You Absolutely Do
Humans are notoriously bad at calculating risk – which is part of the reason why our applications, servers, and endpoints keep getting hacked so often. It’s often difficult to keep up with patches and updates to mission-critical programs – and we let them go out-of-date. Many businesses believe they are too small and barely worth a hacker’s efforts so they install antimalware and antivirus and hope that is enough. On the other hand, many small businesses believe they’ve already spent so much on business IT security that it may not be worth investing in more.
Because of these various fallacies, a successful cyberattack will nearly always come as a surprise. Specifically, the surprise is the extent to which the attack is successful, and the damage that it does.
For example, you wouldn’t be surprised to learn about a convenience store robbery, but you might be surprised if a single robbery put a store out of business. A single cyberattack, however, can and will erase a small business – 60% of small businesses close forever six months after a single successful breach.
Similarly, you wouldn’t be surprised to learn about a bank robbery, but you’d be surprised if a single robbery were able to loot a bank’s entire vault. As the result of a single cyberattack, however, over 140 million social security numbers were stolen – accounting for nearly half the country.
Small Businesses Have IT Security Options
What do you do about this? You can buy new security projects until your budgets are exhausted (see: defense-in-depth), but that does nothing to help you if a single successful cyberattack can expose your entire customer base. Any successful security strategy must instead focus on eliminating the element of surprise. Business leaders must understand that:
- Whether you’re a small business or a massive enterprise, no amount of security spending will make you safe from hackers.
- Therefore, you should take pains to understand where your vulnerabilities lie, and how an attacker will choose to exploit them.
- Some vulnerabilities will be fixable, and some won’t. The ones that are fixable should be fixed as soon as possible; if there are vulnerabilities that can’t easily be fixed, solution partners like Blue Fox Group help small businesses architect security plan to ensure that you meet the gaps in security that enable cyberattacks to penetrate the network.
- In technical terms, the disciplines that will allow you to achieve this state of awareness are known as vulnerability scanning, penetration testing, and risk management.
Vulnerability IT Scanning: Building the Foundation of Security Awareness
Your network runs countless applications. If these applications aren’t constantly updated, or if they aren’t updated correctly, they represent a crack in the edifice of your security. On the other hand, new vulnerabilities in these applications crop up on a regular basis. One security vendor now predicts that companies will discover one new zero-day (a previously unknown application vulnerability) per day by 2021.
A vulnerability scan will most likely use automated tools to crawl your internal and external network for unpatched vulnerabilities and tell you what needs to be brought up to date. Your internal network relies on a complex web of application dependencies. Applying a patch to one application may mean that the applications depending on it fail to work in an expected manner. In some cases, there is no easy fix. If your computers are vulnerable to Spectre, for example – a vulnerability affecting three billion computers – they are essentially un-patchable. The Spectre vulnerability cannot be patched.
On the other hand, the Spectre vulnerability is extremely hard to exploit.In order to determine which of your vulnerabilities must be patched – no matter the expense or difficulty – and which may be left alone, you will need to undergo a penetration test.
Vulnerability & Penetration Testing: Hacking for Good
The difference between vulnerability scanning and penetration testing is the difference between knowing that a vulnerability exists and knowing how an attacker would exploit it – or if an exploit is even possible.
Penetration tests are great for businesses because they are the truest example of how an actual attacker would approach them. Your pen tester will use the same tools and techniques that an attacker would use to:
- Perform reconnaissance on your network
- Find attack surfaces
- Exploit vulnerabilities
- Trace the path from your perimeter to your mission-critical data and applications
While many business leaders may have trepidations about letting an outsider take such a deep look into their organization, the opportunity presented by regular professional penetration tests cannot be understated. Given sufficient time, your penetration tester will almost certainly be able to find their way to critical or compromising data. Along the way, however, you’ll be able to answer questions such as:
- How long will it take an attacker to go from my network perimeter to my data store?
- What vulnerabilities in my network are most appealing to attackers?
- What indicators of compromise (IOCs) will an attacker produce as they infiltrate my network?
- Will my security operations center (SOC) be able to detect the attacker in any way?
- When the attacker reaches their target, how much of my critical data will they be able to see?
- As the attacker exfiltrates data, will there be any signs? How much data will an attacker be able to steal before they are caught?
Vulnerability testing takes a hard look at the vulnerabilities that exist on the network from within. Assessments can be required by regulation or third parties but should be considered a best and recommended business practice for all organizations. Vulnerability assessments measure organizations against over 10,000 possible vulnerabilities and provide a clear path to wellness. Vulnerability Assessments may uncover the need for additional actions such as penetration testing or other network services to improve and organization’s vulnerability profile.
Mitigating Cyberattacks with Risk Assessment
Let’s say that a vulnerability scan indicates a vulnerability in your perimeter and that a penetration test indicates that this vulnerability could be exploited to reveal critical data. A risk assessment would give you a number of possibilities that would minimize you and your customers’ exposure to legal and criminal threats in case of a breach.
For example, a risk assessment could tell you to:
- Immediately patch the vulnerability – if this temporarily breaks dependent applications, so be it.
- Map the gap in your security and align an action such as encrypting the data behind it. If an attacker steals that data, it will be of no value to them.
- Partner with a Security as a Service team that can monitor and proactivelymitigate attacks trough security tools and techniques to safeguard data that can’t be compromised (such as your client’s social security numbers).
These are just a few of the range of options that a risk assessment might offer, all of them varying in difficulty and expense.
Your potential courses of action in response to a potential vulnerability will vary a great deal based on the kind of data you’re protecting and the kind of attackers who may be out to get you. Some forms of personal data may be less sensitive than others – it’s bad if you lose a customer’s address or email, but much worse if you lose their credit card or social security number. Similarly, depending on your company’s profile, you are not able to afford a data breach if your company has certain compliance and regulatory laws it must uphold.
These recommendations and decisions are best guided by risk management professionals. With a skill set that’s one-part hacker and one-part lawyer, these individuals can help you maximize your protection from attackers while minimizing your risks under compliance regimes such as HIPAA, PCI-DSS, and the forthcoming GRPR.
By undergoing regular vulnerability scans, penetration tests, and risk assessments, you’ll massively reduce the likelihood of a damaging security breach. What’s more, you will be less likely to find yourself surprised by a security breach and you are more likely to understand your risk posture by proactively protecting your data to your acceptable security level.
Take the first step by reserving your security-risk evaluation. A Blue Fox Group security expert will provide options and help you decide which type of security best practice will help you secure your data, mitigate risk and sleep better at night.