The true test of your security defenses is when they are attacked. Using the same tools and techniques as organised criminals we attempt to hack into your systems. This is known as a penetration test or ethical hacking. Testing is only performed with proper authorisation, and follows a clearly defined methodology. At the end of the test you’ll receive a report of the security issues, their impact, and what you can do to fix them. Different systems carry different levels of risk, and tests can be tailored accordingly.
Many people assume that with firewalls and antivirus software in place, their systems are safe from attack. All those organisations who have been victim to a network intrusion would have thought the same. How do you know how well protected your systems and data are to a hostile attack? Have you actually performed a risk analysis of critical areas and the effectiveness of your security measures?
The biggest threats may be unexpected; perhaps a disgruntled employee seeking revenge, or a disaffected director with their eyes on the customer database. Or it could be from viruses and other malware, that can spread through a poorly configured e-mail system. Remote access and Wi-Fi services could also provide the backdoors that let hackers in.
Apart from highlighting where your weaknesses are, testing has other benefits!
A test plan is designed around your most vulnerable information assets. Websites, e-mail systems and remote access portals are common targets. Testing then follows a logical sequence:
Tests may be run externally to simulate internet-based attackers, or internally, where the attacker is an employee or someone with physical network access.
A test is not complete if it does not consider the internal systems that contain the corporate “crown jewels” that attackers are intent on stealing. For internal testing it is common to devise a set of attack scenarios that represent the most likely types of threat. These scenario-based tests are designed around simple questions like:
At the end of the test you will receive a detailed, easy to understand report of the security issues, their impact, and what you can do to fix them.
Tests can be refined further according to the system and information at risk. Other options include: