Everyday we read or hear the words Cyber Security…
The internet has revolutionised the world. This does however mean that the criminal world has also evolved and most major crime organisations invest in online crime. Terms like Phishing or WannaCry need no explanation.
Yes, you see large corporations in the news and hear about the thousands of customer records that have been stolen etc. But you don’t hear about the small businesses, local government organisations, and education sector organisations like schools, colleges, academies or universities that suffer from security breaches.
As a security focused IT business, we do see this and we realise that in reality, these large organisations have extensive budgets to spend on security solutions and the staff to manage it. This makes them complex targets. Often we hear a business owner saying “why would they steal my data?” It’s not just about stealing your data, it’s about your bank accounts, your staff or customer bank accounts, using your systems to compromise other systems or to hold you to ransom when your data has been encrypted and is crippling your organisation. It’s more scary than some science fiction novels, and you really can’t afford to ignore it just because it seems far-fetched and complex.
What is Penetration Testing?
Penetration Testing or Pen-Testing, sometimes also called Ethical Hacking, is a managed approach to breaching/penetrating an organisation’s security system or network by a qualified security consultant, to discover the threats or vulnerabilities in those systems which a malicious attacker may find and exploit causing loss of data, financial loss or other major damage.
These vulnerabilities may exist in the gateway security such as the firewalls, or public facing servers like email, remote access or an application. They could also be in operating systems, system services and application flaws, improper configurations, lack of patches and updates or risky end-user behaviour. Such assessments are also useful in validating the efficacy of defensive mechanisms, as well as end-user adherence to security policies.
The information about any security vulnerabilities successfully exploited through penetration testing is typically presented in a report explaining the test, the vulnerability and recommended solutions to help the IT and network system managers avoid these vulnerabilities being exploited by the bad guys.
Why perform penetration tests?
- It may be a contractual requirement from your customers
- If you require certifications such as Cyber Essentials or ISO27001
- Gives you visibility of your vulnerabilities before they are exploited and allow you to put fixes in place.
- Avoids data breach and loss of confidence with customer and suppliers.
- Avoids the cost of network downtime which could result in permanent damage such as all your data being encrypted.
- Avoids hefty fines from the ICO because you’ve breached GDPR.
- To meet regulatory requirements.
- Your customers and suppliers can be confident in dealing with you as you have shown that your systems are safe and you have taken a pro-active approach in doing so.
- If you have a large multi-site organisation and you are reliant on others managing the network, security becomes an even more complex task to manage.
- Ensure that your network security is up to scratch if you outsource to a IT Support business. It’s always best to have it checked by a specialist 3rd party that are not biased as they haven’t installed it and are not supporting it.
As you can see, obtaining penetration-testing software or hiring a pen-tester to test your network is a proactive way of protecting your network and business from risks before, attacks or security breaches occur.
What does a Pen Test involve?
Most customers need one of two scenarios: A 3rd Party Vulnerability scan to satisfy customer or supplier requirements, for an ISO Certification, or they need an actual Pen Test. Breathe can provide either. Our consultants are certified Ethical Hackers and can perform the testing you need to secure your network and keep the bad guys out or to satisfy your contractual obligations. Your testing can also be tailored to cover and specific requirements you may have.
Network Vulnerability Scan
Your test will follow a strictly defined strategy, including detailed scoping, intelligence gathering, vulnerability analysis, and infrastructure exploitation.
- Use of multiple scan tools for overall effectiveness
- Uncover vulnerabilities and poor security controls
- Expose insecure functionality
- Comprehensive after-action reports
Network Scan & Penetration Test
As with Network Scan plus the additional steps below with an easy-to-understand comprehensive report which explains each discovered threat and even drills down into key remediation advice:
- Test your network & infrastructure for weaknesses
- Identify and exploit uncovered vulnerabilities
- Check services, patch levels and configurations
- Network-layer penetration tests
- Application-layer penetration tests
- Injection flaws (SQL injections)
- Malicious file execution
- Information leakage and improper error handling
- Broken authentication and session management
- Insecure cryptographic storage
- Insecure communications
- Failure to restrict URL access
- Comprehensive after-action reports