Pratum Blog

Penetration Testing, or Pen Testing as it’s often called, is a proactive approach to discovering exploitable vulnerabilities in your web applications, computer systems, and networks. It’s an overall test of your organization’s security.

A Pen Tester, or Ethical Hacker, will conduct a series of tests to make sure your cybersecurity posture is strong enough to withstand the potential threats you would face as a business. That is a simplified explanation, but the process as a whole is much more involved and important to the protection of your company in the long run. We’re going to explain what a Pen Tester is typically looking for, and why this process is a critical step in building up your cybersecurity program!

Benefits of Pen Testing

Before investing time and money into any project, you want to make sure it’s worth it for your business and the goals you have for the future. With Pen Testing, you have to ask yourself if you are 100% confident the security measures you have in place across the enterprise are suitable for the kinds of threats you may face. Through this process you can discover these vulnerabilities and begin to remediate the issues before an attacker is able to interrupt your business operations.

With a Pen Test, you’ll also be able to identify which threats need to be addressed more urgently. Cybersecurity risks are often considered at different levels. If the risk is high and would create significant issues for your company, it’s something you need to address quickly. Not knowing where threats are, or if they even exist within your company, could leave you open to more potential problems down the road.

Some breaches can be executed and used by attackers for years before anyone even knows they’ve occurred. A Pen Test can help identify gaps in your security process and trace any threats that may come up later or already exist within your network.

Necessity

Not only is Penetration Testing a benefit for your company, it may also be a requirement within the industry you serve. Pen Testing is regulated and required within healthcare, government systems, and financial services. Someone who is certified in Penetration Testing should be able to help you reach the requirements and standards your company needs to meet. Even if the industry of your business is not required to do Pen Testing, it can still be a beneficial step in your cybersecurity process.

Three key reasons you need to be Pen Testing your organization:

  • Secure Storage – Being able to secure your data and the systems you have in place is crucial to the success of any business. In many cases, client data is stored on a computer system of some sort. No matter where it is within the network, it could be vulnerable to an attack.
  • Interruption Analysis – If an attack were to happen and you were not familiar with the security processes in place, that could cause a significant interruption in your business operations.
  • Reputation Protection – Explaining a data breach to clients is the last thing any business wants to address. Not only does it hurt existing relationships, it damages brand image and can deter future business deals.

Phases of Testing

Now that you have a better understanding of why Penetration Testing is so important, let’s look at what the process entails.

1. Scoping & Pre-Engagement – Defining what the success criteria are.

2. Reconnaissance – Gathering information.

3. Discover & Vulnerability Assessment – Testing authentication, data validation, and management.

4. Exploitation – Verifying vulnerabilities, and false positive and false negative elimination.

5. Analysis & Reporting – Consolidate and overview findings to report vulnerabilities.

Pen Testing addresses the overall security of a company. The tester looks at processes in place to protect your business against threats, how they react, and the reaction time. During this process the Pen Tester looks at a few different components of the security process; devices and people.

Testing Devices

Think of all the devices used within your organization that may be connected to your internal network. Even seemingly harmless devices like printers and telephones could actually be a threat to your security if they’re not properly monitored and protected.

Any device that may be connected to your business network or internet connection can be used as a portal for threat actors to gain access to your system. That’s why Pen Testers take the time to evaluate the devices used in your organization to find where there may be gaps in security.

Testing People

While software and electronics may seem like the obvious threat to a cybersecurity program, the biggest issues typically come from humans. People are the most vulnerable aspect of a security system. Not only do employees have access to highly sensitive data, they also are subject to possible scams that a device would not fall victim to.

While testing the human aspect of your security network, a Pen Tester will evaluate which employees have access to sensitive data, and if that access is necessary. Many times, employees will have access to data, or channels to data, that is not required for them to do their job. A Pen Tester will be able to spot those potential threats.

Nearly every account online now requires a few extra layers of security. From answering questions about your first pet in order to check your email, to receiving a code through text message for a gaming app, there are more and more efforts to protect your online accounts. While it may feel excessive to some, these extra steps are important layers of protection designed to help you called Multi Factor Authentication (MFA).

Definition of Multi Factor Authentication – National Institute of Standards and Technology (NIST):

MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account.

Your credentials fall into any of these three categories:

  • Something you know (like a password or PIN)
  • Something you have (like a smart card, phone or token)
  • Something you are (like your fingerprint)

Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.

Protection of MFA

MFA is a simple way to boost your business’s cybersecurity strength. While other security programs and software can potentially be bypassed by a threat actor, a solid MFA is more difficult to hack. Not only will the hacker need access to your name and password, they’ll also need information from one of the other categories such as access to your smartphone or your fingerprint.

This sort of protection is especially important when dealing with business networks. Having access to things like client data, employee information, and proprietary documents can be extremely valuable to a hacker. That’s why MFA is a good idea when protecting your business information. Before implementing Multi Factor Authentication, each organization should do a Risk Assessment to determine their levels and sources of threats. Once you know where and how someone could infiltrate your system, the better prepared you’ll be to enable security, like MFA, in the proper places. You’ll also be able to see which members of your team need higher levels of security. For example, members of the executive team may need to have a stricter security access process than someone working janitorial services. It’s all about being able to examine the needs of your organization and working from there.

On top of protecting your business information from being stolen, you’re also protecting it from being damaged. Not all threat actors want to steal data. Some malicious attacks are done with the intent of destruction. Using a simple, extra layer of security with MFA can help protect your data from both.

You’re Already Familiar

The great thing about MFA is that most people are already using it! That includes most banks, credit cards companies, Amazon account, college savings accounts, investment and retirement accounts. Your employees have probably been using MFA for a few years now with their personal emails and through other accounts.

Since several large corporations are now requiring MFA, that should make the transition for your company even more seamless. People should feel more confident using MFA, since it’s been part of daily life already for many people using online services. The less confusion when introducing a new security program, the better!

It’s also something clients will recognize when you’re trying to explain the security of your business to help ensure confidence in business dealings. When you are able to tell a potential client you have MFA set up within your organization, that will help instill some confidence in your protection of their data.

It’s (Typically) Easy

Just because it works, doesn’t mean it has to be complicated. While much of cybersecurity can appear confusing and overwhelm people, MFA is pretty straightforward. There are even some free applications, like Google Authenticator, to setup MFA on personal devices.

When choosing an MFA program for your business, there are several options designed for organizations of different sizes. To choose the best option for your operation, talk with a cybersecurity consultant to determine what will work best for your needs.

Extra Security is Necessary

While anti-virus and firewalls are important, they’re not always effective alone. MFA can make your existing security measures even stronger. It may take a few extra steps and a little more time, but the benefits of MFA can greatly outweigh the additional work.

First decide where MFA is necessary in your organization, then determine which program is the best fit for your company. Once you have it established, continue to monitor the effectiveness of the MFA program and your cybersecurity as a whole. For more information on how to analyze your security strength and choose an MFA program, reach out to a cybersecurity expert with Pratum today!

Technology consideration when returning to the office

As more organizations are preparing to head back to the office, there are several aspects of returning to work that need to be evaluated first. In our previous blog “Cybersecurity Preparation for Returning to the Office” we looked at the various aspects of returning to a shared workspace; social distancing, document shredding, and policies & procedures. One important area to remember is technical considerations.

You should have a plan in place to address things such as remote connectivity use or system protection. That’s what we’ll be covering here; the top technical considerations for returning to the office.

1. Check Connections

When working from home, many employees may have found new ways to connect to the internet or office network. Something you should be asking yourself before these employees return to the office is: Are VPN's or personal remote management software being used that your company isn't aware of?

The longer these connections are established, the greater the chance of them being used as an attack vector. It's important to perform a full review of your environment. Be sure to leverage existing security tools to validate data is protected and restricted appropriately. This step can be done prior to returning to the shared work environment and should be monitored regularly with employees who work from home.

2. Inventory Software and Devices

On top of remote management software, you should also be checking for other software employees may have introduced to company devices. Perform a software inventory review on corporate devices as soon as possible. Evaluate whether software is approved or needs to be removed. It is also a good idea to review what devices are on your network to ensure they are approved devices.

Software such as a LogMeIn, TeamViewer, PCAnywhere, etc. should not be leveraged if it isn't managed by the business. If these aren’t configured properly they could be used as an attack vector into the device or even the corporate network. Certain EULA's/licensing may be in violation as well if these are being used for commercial use under a personal license. Contact your employees about what they have installed onto their company devices and do a scan once those devices are safely back on company premises.

3. Establish Protection

It is important to ensure all devices that communicate with the corporate network are routinely protected. That includes malware protection. Next generation anti-virus or endpoint detection and response software should be used to constantly monitor rogue or malicious activity.

Proper configurations, including alerting and monitoring, will assist with informing IT/Security teams immediately. This can help to address any issues but also minimizes the chances of an infected machine spreading to other devices.

4. Understand Limitations

Businesses should prepare for employees and their systems to come back to the office with potential threats, such as malware. This may leave IT and Security staff with limited resources to combat the issues.

Teams should evaluate whether a planned approach will ensure protections exist to identify compromised or infected systems before they can spread to the corporate network. Much like the ability to overwhelm hospitals, IT/Security teams can get overwhelmed during a malware outbreak. Introducing multiple infected devices without the proper protection on them or the corporate network could be devastating to a business.

Take the time to integrate devices back into the network slowly. Be sure scans are done properly, and not rushed to get the office space filled with employees again. Taking a methodical approach to scanning and re-integration may be the key to protecting your business from widespread cyber threats.

5. Prepare Staff

Many employees and businesses have taken certain liberties to ensure their business processes could continue to flow while working from home. These processes may not have been the most secure approach. It's important that any risks that were introduced are identified and mitigated.

Company culture, such as use of personal devices or incorrect data protection, may also have been hindered. Be sure to introduce additional user training once employees do return, to ensure these practices do not continue. This is also a great time to review how prepared your business was before the pandemic and ensure you take steps to be better prepared in case of future disruptions.

Planning out the best process to begin returning to the office should be a discussion between executives and IT/Security staff. Open communication will help them prepare the technical considerations that need to be established so the risk of a virus or other cyber-attack is limited. If you would like help determining the risks your business faces, or other cybersecurity concerns when returning to a shared work space, please feel free to reach out to the experts at Pratum!

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.