According to a recent IBM report, it takes on an average 287 days to identify a data breach with a further 80 days on average needed to contain it. How disruptive would that be to your legal practice? Imagine knowing your risks and being able to remediate them or if when fixing the issue is not feasible, being aware and able to implement strategies to reduce the likelihood of attack?
PureCyber explains that a penetration test helps to protect you against potential financial, operational and reputational risk, it can also make you better prepared for effectively containing a breach if it does happen. Prevention is of course better than cure when it comes to cyber security.
Knowledge is power and a quality Penetration test will clearly identify your strengths and weaknesses informing your cyber security risk landscape and long term strategy for the business.
What is penetration testing?
Penetration testing is a way to test and gain assurance in the security of an IT system by using the same techniques a cyber-criminal might use in order to attempt to gain unauthorised access to a computer based system, this could be a website, network, application or your complete computer environment.
Undertaken correctly, a penetration test by an external certified organisation ensures that your company’s systems and processes are sufficient, highlighting and categorising any necessary remediations to improve security.
In simplest terms, your new website, portal, firewall or app might seem brand new, shiny and secure but are you sure there aren’t any holes in your security just waiting to be uncovered by cyber criminals?
High quality, extensive, expert penetration testing using real world tools and processes can help you identify gaps in your system, bugs, misconfigurations and vulnerabilities before they become a risk and are exploited. Combined with additional layers of cyber security, it should systematically be part of your strategy to help you stay one step ahead of the cyber criminals.
Not all penetration tests are equal but a quality, in depth penetration test lead by a team of qualified testers will prove to be an excellent ROSI (Return on Security Investment) for organisations of all sizes and sectors.
Potential risks
There are cases of all sizes when it comes to security breaches and the media is full of them! From sole traders to multi nationals, there is a constant stream of negative news around cyber attacks.
From a penetration testing perspective however, an example of a vulnerability can be insecure default configurations, incomplete configurations, and misconfigured HTTP headers. There have been, for example, many examples of organisation’s S3 buckets (a public cloud storage resource available in Amazon Web Services (AWS)) being compromised due to incorrect configuration. In such cases, data has been accessed through brute force attacks or simply because of human error, where the configuration has been mistakenly set to public access.
In 2019, Attunity, a data management company, exposed customer and company data when three AWS S3 buckets were left exposed to the internet without a password. This included 750 gigabytes of compressed email backups. In addition, backups of employees’ OneDrive accounts were also present and spanned the wide range of information that employees need to perform their jobs: email correspondence, system passwords, sales and marketing contact information, project specifications, and more. Among those affected were the likes of Fortune100 companies Netflix, Toronto-Dominion Bank, Australian Broadcasting Corporation and Ford.
Next steps: choosing your penetration testing partner
So, you know outsourcing testing is going to be good for your business but where to start?
In our opinion, choosing the right partner for your business is vital. Granting access to your systems to an external organisation to test is obviously not something to be undertaken lightly.
From PureCyber’s experience, not all companies’ ‘penetration testing’ services are the same.
Here are some points to look out for when selecting your trusted penetration partner:
Are they certified?
For example, PureCyber is Crest Penetration certified as an organisation and its Penetration testing team are also certified Offensive Security Certified Professionals (OSCP), Certified Information Security Systems Professionals (CISSP) and Offensive Security Wireless Professionals (OSWP). This provides a third-party accredited team who follow stringent continuous professional development programmes.
Are they experienced experts who will work with you to understand your business and provide the appropriate level of service you need?
Do they understand your needs and have the capabilities to test adequately; not just run a vulnerability scan? More too often we have clients come to us when their previous ‘penetration testing’ service was not an accurate description of what they actually received. The personal, bespoke and flexible service provided by the PureCyber team, combined with their vast knowledge and our innovative systems used enables us to provide a powerful service rather than an off the shelf solution.
What will the testing outcomes be?
Penetration test reporting can vary. At PureCyber, once a penetration test has been conducted, we provide clients with a report that includes a step-by-step breakdown outlining how each vulnerability was identified and exploited, followed by remediation advice. Risks are categorised with a clear roadmap for the organisation if improvements required.
A penetration test allows clients to identify vulnerabilities, real-world risks, test cyber-defences and sustains trust with customers.
What are some of the common issues that can be found?
One of these possible vulnerabilities is broken access controls. This means that an application has not set appropriate user restrictions and data can be accessed by those who should be able to. In this case, an application can allow a primary key (in simple terms a unique identifier within an application’s database) to be changed, and when this key is changed to another user’s record, that user’s account can be viewed or modified.
One way to remedy broken access controls is to set up 2 Factor Authentication. 2FA requires two different methods to ‘prove’ your identity before you can use a service, generally a password plus one other method. This could be a code that’s sent to your smartphone (or a code that’s generated from a bank’s card reader) that you must enter in addition to your password. For more password guidance visit our resources page here.
Will they speak with your board or stakeholders if required?
Ensuring Cyber Security is being discussed and understood at a senior level can be critical in terms of the cyber security journey of an organisation. Commitment and buy in from the top down can be sometimes difficult to achieve. Your Penetration testing partner should be happy to support, conveying their finding and report as required by the client to gain the maximum impact. The team at PureCyber are regularly involved with presentations to boards, partners and senior staff to ensure the level of understanding, relevance and importance is understood and the cyber journey of the business supported.
Is penetration testing worth it?
We admit we could be biased, but if you have any internal or external infrastructure that is public facing, then we would suggest an appropriate level of penetration testing is a good investment for your business. There are a number of variables that the team would use to outline the project size and regularity of the testing based on the initial scoping work and every customer is unique in their needs but not one has wished they hadn’t undertaken it.
Penetrating testing is designed to identify vulnerabilities and risks before data is exposed, business continuity is affected and your business reputation damaged.
If you would like to discuss your needs for Penetration Testing or how this can combine with additional unique services such as Cyber Essentials, IASME Assured, ISO27001, EDR Solution, Vulnerability Scanning, Phishing Simulation and Employee Awareness Training for your complete cyber security solution, please contact PureCyber here or email info@purecyber.com.