Excuse me, have you been hacked?
By Nathan Hopkins
Interestingly or more ironically, I received more messages directly from my network asking me if my account had recently been hacked after I posted on LinkedIn about penetration testing than I had engagement in the post itself.
I found this hilarious. Firstly, as a penetration test itself is a tool to help people and organisations identify vulnerabilities to stop themselves from getting hacked. Yet there I was posting about preventing such events, but people thought I had been compromised myself.
Further to that, it was clear that despite the best efforts of technical departments, clearly everyday people or employees have a lack of understanding of the complexities and demands put on technical teams to maintain safe and protected systems and knew very little about the types of activities that go on behind the scenes.
It is obvious that there remains a need for further education about the risks and best methods available to prevent attacks. But it is also possible that my post was so bad that maybe I am not best placed to write an education piece on penetration testing. I will leave you to decide for yourself after reading this.
What is a Penetration Test?
It is a valuable tool in the kitbag that people and organisations can use to identify possible weaknesses in their IT estate.
A penetration test highlights specific vulnerabilities in an environment, network or application that attackers could use to gain access, compromising the confidentiality and availability of data within.
The process starts with scoping what’s being tested as this will be specific to each organisation’s goals and technology. Then searching for vulnerabilities and identifying those that may be exploited. Followed by gaining access to the system, a comprehensive test will then report on this with remediation recommendations to prevent hackers from doing the same.
These tests are done by simulating a genuine attack and can be completed with varying levels of access to start with.
Black Box – zero knowledge of the target system.
Grey Box – knowledge and access levels of a user on the system.
White Box – tester provided full access to the source code, architecture blueprints and provided with the admin accounts on the system.
Following a test, hopefully teams will rectify the issues highlighted during the test.
Why complete a penetration test?
It’s all about the data. Data is the most valuable asset in any organisation and it’s the data that hackers want to get their hands on and exploit. Here are just some of the ways they look to benefit:
- Ransom attacks
- Fraud – Identity, make purchases or apply for credit
- Sell on credentials
- Sell your IP and data in developing nations
These attacks are becoming more and more common in mainstream news. It’s not only bad for consumers to have their data being exploited and sold on the dark web but bad for the brands and the reputations of any organisation that’s been targeted.
If that wasn’t incentive enough to invest in these types of services to protect yourselves and your clients, then governments have also stepped in with regulatory policies that all organisations need to comply with around data handling. The Data Protection Act 2018 here in UK, which is in line with the EU’s GDPR policies needs to be abided by. UK Gov states that data has to be ‘handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage’.
These policies don’t explicitly state that companies need to complete a pen test to comply but as they say prevention is better than cure.
For many organisations looking to go a step further with their security posture, and work through to completing accreditations such as ISO27001, Pen testing is a vital element of any Information Security Management System. From an initial development project through to maintenance and continual improvement.
ISO 27001 objective A.12.6.1 (Technical Vulnerability Management) states that ’information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk’.
The shameless plug
I work for Escrow London who offer these services. Our penetration tests are custom designed to a company’s environment and needs, assessing specific aspects of the security infrastructure and the state of security of a company’s critical applications, networks, and systems. We have developed our procedures from years of experience responding to all kinds of cyber-attacks so if you require some assistance please get in touch.