Why hire people to breach your network?
As data breaches become more commonplace, littering the headlines on a daily basis, businesses of all types and across all industries need to work on the assumption that they are a target. Because of this, organisations, especially those who house sensitive, valuable and proprietary data, need to ensure that they have a solid security strategy, as well as an incident response plan in place.
"Any good security strategy needs to be a combination of technology, people and processes. Moreover, the strategy needs to be tested on a regular and ongoing basis," says MJ Strydom, Managing Director at DRS.
He says this is where penetration testing comes in. "What better way is there to prepare for an attack, than to have experts, who have the same skills that the cyber criminals do, see if they can breach your defences. This will ensure that the right protocols can be put into place should any real-world attacks happen."
Penetration testing (or pen testing) is essentially running controlled hacking exercises against a business network and systems in order to show how threat actors might be able to get in. It can see any number of manual and automated tests being performed on corporate networks, systems as well as individuals to determine if they are susceptible to an attack.
According to Strydom, the intelligence gleaned during these exercises can then be used to highlight and sort out any weaknesses that are found. This helps organisations to close any security gaps, and shut off possible attack vectors. "It also helps them to truly understand how attacks work so that they are better equipped to handle any actual threats that may occur in the future."
Remember, he says, that there is no silver-bullet solution when it comes to security. "The chances are that any hacker who is determined enough will eventually get in. At its core, security is nothing if not an exercise in lessening the attack surface to the very possible minimum. Cyber criminals will always take the path of least resistance, and go for the low-hanging fruit. The best a business can hope for is to make themselves a less attractive target than the next business."
He says companies should also follow the basics, and ensure that security efforts are concentrated on the most valuable assets first. "A lot of services, for example, don't need to be directly accessible to the Internet. Think before having a blanket approach to all resources. In addition, have two, or even three-factor authentication in place, especially for any services that would be high value should the business be compromised."
Also, don't just have a stringent password policy in place, actually enforce it, he adds. "A company can say they insist on strong passwords, but someone will always go the easy and memorable route. Insist on the strongest possible passwords, and make sure they are changed on a regular basis."
Remember, says Strydom, that humans are often the weakest link in a company's security chain. "Even the most security savvy employee can open a malicious attachment, or click on the wrong link. We all make mistakes, we all get distracted. Add to that the slew of devices flooding the enterprise thanks to BYOD, and the borders of the network get wider, and harder to control."
Complacency simply isn't an option. "Find out as soon as possible, and on a regular basis, where your weak points are, and where security posture needs to be improved. Any robust security strategy needs to be bolstered by thorough and ongoing testing, to make sure that confidential and proprietary data is better protected from increasingly complex and cunning cyber criminals."