Marriott. T-Mobile. Carnival Corporation. These are just three out of the long list of companies that fell victim to cyber security breaches in 2020 alone. And now, with hackers actively targeting essential services providers, no one is truly safe. What can your organization do to avoid becoming a victim? The answer is simple: penetration testing.
What is penetration testing?
The National Cyber Security Center describes penetration testing as “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques an adversary might.” A penetration test attempts to exploit any vulnerabilities in your system, and add context to what the risk is to your organization.
There are five different types of penetration tests: white box (the hacker is provided with a small amount of information ahead of time regarding the security target), black box (also known as a blind test, where the hacker isn’t given any information ahead of time), internal (the hacker completes the test from within the organization’s network), external (the “attack” is carried out from a remote location to go up against the company’s external facing technology), and covert (a test where no one in the company knows that it’s happening). The types of tests your organization will need depends on the regulations you’re subject to, and the goals you have for the test.
No matter what type of penetration testing your organization undertakes, below are my top five reasons why you need it sooner rather than later.
1. To test the effectiveness of your security controls
Part of the process of establishing a formal information security program is using an industry recognized framework. The most popular frameworks are NIST 800-53, the NIST CSF, and the CIS Controls. As organizations adopt these controls and frameworks, it’s a good practice to have a penetration test performed to test effectiveness of the implemented controls.
2. To test the effectiveness of your incident response team
A penetration test is a great way for organizations to test their incident response team’s ability to respond quickly and efficiently after a potential cyber emergency. This can be done by performing an unannounced penetration test to simulate an actual cyber incident, or by working with the team in what’s called a Purple Team engagement. Purple Team engagements involve the penetration testers working with the incident response team while walking through an actual attack to determine where improvements can be made.
3. As part of a third-party attestation statement of your security program
In some cases, an organization will need to satisfy the requirements of a client or partner’s vendor management program. In cases like these, the partner or client may request proof that their network and systems are secure. A penetration test can be performed in order to provide that verification in what’s known as a third-party attestation statement.
4. To ensure compliance with regulatory requirements and security frameworks
Companies subject to regulations such as PCI, GLBA HIPAA, and SOX are periodically audited to ensure they’re in compliance. In these situations, a third-party auditing firm will perform a penetration test based on the corresponding regulatory requirements. After the test is complete, a report is provided to the client, which may be requested by the regulatory governing body for review.
5. To discover vulnerabilities in software or web applications that you’ve developed.
Organizations that develop their own software or web applications should be performing penetration tests as part of the development process, and further down the road, too. This is especially true for web applications. Some organizations will have a penetration test performed when the application is first launched, but fail to test after further updates and configuration changes have been made. It’s those subsequent updates and reconfigurations that often lead to a compromise of the application. If you’re using third party code, modules or plug-ins for a web application, you may not be making updates or configurations to your web application, but the providers of those third party solutions may be introducing vulnerabilities in their products that you’re completely unaware of. This is why regular penetration testing is so important for web applications.
Penetration testing is one of the best ways to assess your company’s vulnerability to cyberattacks. By engaging in one of the five types of this crucial testing process, you’re able to protect your company from a potentially debilitating attack. The longer you wait to take this necessary precaution, the longer your system is susceptible. Contact us today to take the next step toward digital security.
About the Author:
Joe Sullivan is a principal consultant at Sparq in Oklahoma City with over 20 years of experience in information security. He helps develop the company’s security consulting services and the teams that provide them. Over his career, Joe has worked in incident response, penetration testing, systems administration, network architecture, forensics, and is a private investigator specializing in computer crime investigations. Joe also teaches information security classes for the SANS Institute.
Four Ways a Strong Customer Experience (CX) Strategy Can Benefit Your Entire Business
Creating a positive customer experience (CX) is typically an important part of a company’s product strategy, but many people don’t realize the far-reaching impact of CX on the overall business. In this article, Senior Principal Consultant Joe Dallacqua and Principal Product Strategist Ryan Finco delve into the elements of a strong CX and how they can benefit your entire business.
Unlocking Gen AI’s Full Potential: The Crucial Role of Quality Data
In an era where artificial intelligence (AI) promises to revolutionize industries and redefine competitive landscapes, generative AI stands out for its ability to create new content, from text to images, videos and beyond. This article explores the pivotal role of high-quality data in generative AI efficacy, examines the preparedness of companies for adopting these technologies and outlines essential steps for building a robust data foundation.
Navigating Readiness & Expense for Section 1071 Compliance
After 14 years, Section 1071 of the Consumer Financial Protection Bureau (CFPB) moved from the back burner in bank lending under the Dodd-Frank Act. The question about 1071 remains: will it come onto the front burner considering the legal challenges and injunctions that have delayed its implementation for years? We believe that there are many areas to consider as a bank assesses their compliance readiness, which should be driving discussions across these executive responsibilities. Read on for key readiness focus areas and questions for discussion.
From Legacy to Leading Edge: Advancing Healthcare Through Legacy App Modernization
The modernization of legacy applications in the healthcare industry represents a particularly acute concern, more so than in any other sector. This article explores why legacy application modernization is a significantly bigger issue in healthcare compared to other industries and outlines strategic steps healthcare organizations can take to address this pressing challenge.