Defense from a 4-letter word
Defense from a 4-letter word

Would you pay someone to break into your office to test your security system?  Do you crash your car to check the airbag operation?  How about that parachute before you jump from a perfectly good airplane?  Birth control? Did Tarzan check all those vines before he jumped to the next one and started swinging?

These questions are not dissimilar to security and penetration testing for your business.  Organizations that have let their security maintenance lapse, especially with regard to patch and replace protocols, are the ones most affected by ongoing attacks, or a ‘hack’

During the first half of 2017, the UAE averted 561 cyber-attacks on both public and private websites, according to DEWA’s CEO.

Saeed Mohammed Al Tayer, MD and CEO of Dubai Electricity and Water Authority, unveiled this during his opening address at the Enterprise Risk Management (ERM) conference. He added that the computer emergency readiness team at the Telecommunications Regulatory Authority (TRA) stopped the attacks in the first half, which accounted for 53% of the total attacks in 2016.

“This reflects the high frequency of hacking attempts on public and private websites,” he said.

From the 561 cyber-attacks, 284 attacks were made on government and semi-government websites and 277 attacks on private-sector websites.

How can I defend my business?

Regular updates as part of an annual maintenance agreement and ensuring the best practice in ‘patch and replace’ protocols is one important step.  Careful planning and using good security basics – like using VPN and SSL – will keep your data safe until you can get your devices patched and updated in the short term.

Security consists of protection, detection and response–and you need all three to have good security. Before you can do a good job with any of these, you have to assess your security. And done right, penetration testing is a key component of a security assessment.

There are a lot of different ways that penetration testing is described, conducted and marketed.  Often confused with conducting a “vulnerability scan”, “compliance audit” or “security assessment”, penetration testing stands apart from these efforts in a few critical ways:

  • A penetration test doesn’t stop at simply uncovering vulnerabilities:  it goes the next step to actively exploit those vulnerabilities in order to prove (or disprove) real-world attack vectors against an organization’s IT assets, data, humans, and/or physical security.
  • While a penetration test may involve use of automated tools and process frameworks, the focus is ultimately on the individual or team of testers, the experience they bring to the test, and the skills they leverage in the context of an active attack on your organization. Even highly automated, well-resourced, and advanced networks employing sophisticated counter-measure technologies are often vulnerable to the unique nature of the human mind.
  • A penetration test is designed to answer the question: “What is the real-world effectiveness of my existing security controls against an active, human, skilled attacker?” We can contrast this with security or compliance audits that check for the existence of required controls and their correct configurations, by establishing a simple scenario.
  • A penetration test allows for multiple attack vectors to be explored against the same target. Often it is the combination of information or vulnerabilities across different systems that will lead to a successful compromise. While there are examples of penetration testing that limit their scope to only one target via one vector, limiting scope and vector yields limited real-world understanding of security risk.
What is the Value of a Penetration Test?

Here are a few of the reasons organizations invest in penetration testing:

  • Determining the feasibility of a particular set of attack vectors
  • Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
  • Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
  • Assessing the magnitude of potential business and operational impacts of successful attacks
  • Testing the ability of network defenders to successfully detect and respond to the attacks
  • Providing evidence to support increased investments in security personnel and technology to C-level management, investors, and customers
  • Meeting compliance  (for example: the Payment Card Industry Data Security Standard (PCI DSS) requires both annual and ongoing penetration testing (after any system changes)
  • Post security incident, an organization needs to determine the vectors that were used to gain access to a compromised system (or entire network). Combined with forensic analysis, a penetration test is often used to re-create the attack chain, or else to validate that new security controls put in place will thwart a similar attack in the future.

Penetration testing should be thought of as multiple micro-level tests that together provide a unique macro-level view of your entire security posture. No other security test available today can provide both a granular and a global view.  We work with our strategic partners to provide the best practices in penetration testing.  (link to vtec/business services/network security)

The most important thing you can do is focus your resources to close that gap between vulnerability disclosures and targeted exploits as much as possible.  We can help you with penetration testing and an annual maintenance agreement to ensure that you are protected.

Let us know how we can help, call ( 04 363 3301) us at Vector!
Vector Technologies, ‘The way I.T. should be’.

Contact UsContact Us