Click to learn more about author Rob Chapman.
How much would you pay to prevent a security breach rather than having to pay to fix it after the fact? When I ask clients that question, they tend to think about it for a few seconds. And then, in almost every case, they state a dollar figure that’s much higher than what most preventative measures would actually cost.
However, very few of them proactively choose to take action. I guess that’s human nature to some degree. There’s always a bit of wishful thinking that the leaking roof or pinging car engine will somehow automagically fix itself. But that rarely works in real life.
If you’ve been wondering how to check the security of your network, computers, and other IT systems, there are several options to choose from. You can spend as much time, effort, and money as you want — either with service providers or your own in-house team. Or you can go through the motions to check off a few boxes that might give you a false sense that your business is protected “enough.”
The choice of testing ultimately comes down to where you’ll get the most value, and that can vary depending on your industry, what regulations or compliance mandates you face, and what your business’ risk management profile can tolerate.
Understanding Two Common Types of Security Tests
Two of the most common ways to gauge your security readiness are to run a vulnerability scan or penetration test. For the most part, these processes are just what they sound like. A vulnerability scan helps you identify weaknesses in your IT environment and predict the effectiveness of implementing countermeasures.
You can hire an external service provider, such as a Managed Security Service Provider (MSSP), to oversee a formal managed vulnerability program. Or you can take a DIY approach and perform the scan internally (realizing that any results are primarily for your own information-gathering process).
A penetration test goes much deeper into probing your IT infrastructure. Sometimes known as “pen testing” or “ethical hacking,” this process actively attempts to find security vulnerabilities that an attacker could exploit. It typically involves collecting information about the targets, identifying possible entry points, exploiting vulnerabilities, and reporting on the results.
Preparing for the Test
One approach that I find useful before you conduct any testing is to envision everything in your environment as part of either a “trusted” or “untrusted” zone. A trusted zone is basically an environment where you control access in or out. On the flip side, an untrusted zone might include systems over which you have no authority or control, along with external systems you must connect to.
The most vulnerable areas tend to be the thresholds where a trusted zone meets an untrusted zone. Security issues tend to occur when we allow an untrusted system to talk to a trusted system without being thoughtful about that contact.
One important thing to note: Over a long period of time, you will experience a security-impacting event. It’s not a matter of if, but when.
Learning to Take the Ego Hit
A friend of mine who has multiple convenience stories in Europe recently wanted some advice about hiring a security firm to do a third-party penetration test to satisfy specific compliance requirements. I encouraged him to do that if he wanted to get a true feel for how vulnerable his stores were.
I explained that the primary goal isn’t just to pass — it’s to learn about your environment. Testing isn’t necessarily cheap, but I’ve always found it to be a great value. Anyway, I’ll cut to the chase about my friend … he got thoroughly owned by that security firm. They were able to access everything — all the way to admin controls and root directories. Unfortunately, he had been assuring his executive team about how secure their IT systems were, and now he was scrambling to plug all the holes revealed by the penetration test.
I’ve been on both sides of the equation, as a tester and as a client. It’s not fun, and I’m very sympathetic to everyone involved. It’s probably the most humbling professional experience I’ve ever gone through. When you realize how exposed you are, it’s an extreme ego-hit, and it’s tempting to feel like a failure. But if you dwell on that feeling for too long, you’re kind of missing the point.
Defining a Strategy for Security Testing
I have a strong appreciation for vulnerability scanning and penetration testing because you get results in a controlled situation rather than an actual hack. There’s simply no faster way to learn about security.
If you’ve never participated in this type of testing, you might want to ease into the process with a vulnerability scan first and try to fix any major issues before you engage in full penetration testing. As you’re doing so, here are a few items to keep in mind:
- Testing isn’t only about IT systems. You also need to consider the human factor (such as testing for phishing schemes and social engineering threats).
- Your test should model a real-world experience, accounting for modern threats and attack methods.
- It’s better to test proactively rather than having testing imposed on you by some outside authority.
- If you complete the test without any issues, you should seriously question the results.
- Once you’ve done the testing, take action to remedy any issues.
They aren’t necessarily fun, but they are revealing. And, if you do them correctly, security tests can be one of the best tools you have to protect your business.