Know your vulnerabilities before cyber criminals discover them
June and July saw a spike in cyber attacks on organisations of all sizes, including Domino’s Pizza, Code Spaces, the World Cup websites, StubHub, CNET and – perhaps ironically – the Get Safe Online website. We expect to see this continue in August as attackers leverage high profile news as part of their attacks.
Cyber attacks – everyone is a target
Any Internet-facing organisation is under a constant threat of cyber attack, as the above examples show. In the majority of cases, cyber criminals are not discerning regarding their victims – the one thing they look for above all in a target is a network with vulnerabilities. So, could this be yours?
As we saw in the case of Code Spaces – a company forced out of business due to cyber attack – it is no longer just financial damage or reputation at stake: it is the whole existence of an organisation that’s at risk.
In July, hotel booking website Hotelhippo.com discovered that it had been leaking customer data. According to reports, this was due to a vulnerability that was centred on the use of unique web addresses to pull up customer data. Hotelhippo.com is now out of business due to this attack.
If you don’t test your networks, the attackers will
Research shows that data theft may go undetected for months, and that most companies are unaware that they have been hacked.The Mandiant M-Trends® Report 2014 found that the average number of days that attackers were present on a victim’s network before being discovered was 229 – more than seven months.
A penetration test is a process of identifying exploitable security holes and vulnerabilities in an organisation’s hardware and software. It is designed to test networks, servers, applications, mobile platforms, laptops, wireless systems, printers and any other hardware or system that can store, transmit or process data that a cyber criminal can exploit – i.e. ‘take control’ of your systems.
Geraint Williams, QSA and Senior Consultant at IT Governance, says, “With the increasing complexity of website and network software, more security holes are being introduced. Security researchers are publishing information on vulnerabilities they discover. Announcements about exploitable vulnerabilities are often made public knowledge before systems are patched, which allows people with malicious intentions to exploit these weaknesses.
“Organisations are at a significant risk from attacks through automated botnets and automated scanning tools that test the ‘attack surface’ to see if there are any vulnerabilities that can be exploited. Any successful attack will incur significant remediation costs, loss of productivity and reputational damage. ‘Not testing’ could be a very costly process. If you don’t test your networks, the attackers will.”
Penetration testing and the board
The need for regular pen testing is also mandated by national and international management standards and frameworks – a fact that only stresses its importance.
Penetration testing is an essential component in any ISO27001-aligned information security management system (ISMS) – from initial development through to ongoing maintenance and continual improvement.
Version 3 of the Payment Card Industry Data Security Standard (PCI DSS) has made the pen testing requirements more rigorous than any of its previous versions. In the UK, meanwhile, the government has made external scans a mandatory requirement for the Cyber Essentials and Cyber Essential Plus certifications.
The board may not be expected to be well-versed in the technical jargon and the painstaking details of conducting a penetration test, but it is considered the board’s responsibility to ensure that the organisation does not face the type of consequences that forced Code Spaces out of business. For the CEO of retail provider Target, who resigned after the company’s massive data breach, the recognition of this responsibility must have been a bitter one.
And if penetration tests drastically reduce the chances of an organisation suffering a data breach, I wonder: what more reason do you need?
IT Governance, a CREST-accredited company, has released two brand new guides that will help IT professionals and system administrators build a board-level business case for penetration testing, as well as ensuring that they maximise the benefit of their penetration tests. They can be downloaded for free from www.itgovernance.co.uk/why-pen-tests-are-crucial.aspx.