Risk associated with cybersecurity threats and exposures motivate organizations to implement protective controls intended to keep their digital assets safe from malicious computer hackers. Firewalls are installed at the network perimeter to keep unauthorized users from accessing the private network. Antivirus software is installed on computers and servers to enhance overall endpoint security. Sensitive data is encrypted, and strong password policies are implemented. These are just a few examples of how organizations build their cybersecurity control framework to protect themselves from bad actors.
We display a similar strategy when protecting our physical assets. Our homes have locks on entry doors and windows. Security systems to detect intruders. Fences that prevent access to private property and camera surveillance to monitor for threats.
Protective controls are important to have in place, but it is equally important to test the effectiveness of the controls themselves. Have you ever left your home, shut the door, and then reach back to jiggle the doorknob to make sure the door is latched and locked? This is an example of testing a protective control. The same concept applies to the digital world, we must test our cybersecurity controls to ensure they are working as intended.
One common way to test the effectiveness of cybersecurity controls is to conduct a penetration test. Penetration Testing is an exercise in which an ethical computer hacker will simulate an actual cybersecurity attack against your organization. They will execute the same actions and behaviors of a malicious hacker to identify weakness with your cybersecurity controls. We tend to assume that our firewall is keeping us safe, like the assumption we make that our locked front door is keeping our home safe. But unlike our ability to jiggle the doorknob of the door, there is no tangible way to verify that firewall is working. This is why penetration testing is such a valuable exercise to complete.
The benefits of completing a penetration test are as follows:
1. Test the effectiveness of your cybersecurity controls that you otherwise assume are protecting you.
2. Improve your cybersecurity controls after reviewing the results of the penetration test
3. In many cases, help satisfy the burden of compliance with state or federal regulation.
Penetration tests are completed in the following way:
1. Planning – During this phase the ethical hacker will establish agreed upon rules of engagement (ROE) with the organization.
The SOW of the test will be determined as well as the acceptance of simulated attack activities.
2. Reconnaissance – During this phase the ethical hacker will discover as much information about the target organization as possible so they can create a sophisticated attack strategy. They will search for publicly available information, obtain breached credentials, and scan the network for common vulnerabilities and exposures (CVE) among other activities.
3. Exploitation – During this phase the ethical hacker will attempt to circumvent or compromise security controls by exploiting
vulnerabilities or pre-disposing conditions discovered during the reconnaissance phase.
4. Reporting – During this phase the ethical hacker will compile and document their efforts into report that provides their findings and recommendations for improvement.
It is recommended that penetration testing is conducted on a regular basis, at least annually if not more frequently. Deploying
protective cybersecurity controls is a great accomplishment, but validating their effectiveness is what truly matters.
If you ever have questions in regard to technology trends, we try to stay on top of them and are here to answer your questions, as well as discuss the strategy of how they might affect your business. Email us at firstname.lastname@example.org or call 406-443-8386.