Unpacking penetration testing for SMEs | #ebizradio | #B2B | Caitlin Harrison

eBiz-b2b-tech-150x150.png

If the stories about breaches that have littered the headlines over the last few years have taught us anything, it’s that no business is too big or too small to be an attractive target for cyber criminals. One of the biggest fallacies about small and medium enterprises (SMEs) is that they are too small to reach the attention of cyber criminals. In fact, research suggests that as many as three out of five hacks target SMEs these days.

cyber crime smeBecause SMEs handle a lot of sensitive and proprietary data, such as credit and debit card numbers, they are enticing targets. Couple this with the fact that they lack the resources of their enterprises, counterparts, so that their security is often inadequate, making them low hanging fruit for organised gangs of cyber crooks.

Due to the nature of today’s advanced threats, where it takes up to several hundred days to discover that a breach has occurred, SMEs would be wise to make sure they have not already been compromised. One way of doing this, is through penetration testing.

MWR Infosecurity’s Caitlin Harrison, says because pentesting is not an exact science, there are no hard and fast rules that can be applied to determine when it would be most beneficial. “In general, any application, website, host, service or network in an organisation where someone could benefit from interfering with or manipulating its normal functionality, will require some level of security assessment.”

Any component that is critical to daily business operations or could substantially affect its ability to do business should be pentested before it is deployed, she adds. “Provided a small business is careful when they conduct a pen test, they are likely to benefit from testing their systems and components internally.”

The dangers of DIY

However, Harrison says adopting a DIY approach to pen testing is not without its dangers. “Firstly, there is the danger of insufficient testing.  Security is a broad and dynamic field. Without exposure to multiple environments, platforms and configurations, a pen tester may lack the necessary exposure and experience to ensure that their assessment covers all of the relevant attack vectors.”

Moreover, she says penetration testing is about assessing how an application responds to unexpected input and unusual interactions. “Someone who has been involved with the development or deployment of a system will have preconceived notions as to how someone is supposed to use the system. This could prevent them from identifying crucial attack vectors.” pentesting

Next, she cites a false sense of security. “Penetration testing is intended to give a view of the overall security posture of a system component and an idea of what level of risk using that component might expose the business to. A DIY test might not be thorough enough to give a true indication.”

Unsafe tools can also be a problem. “Not all the pentesting tools available on the internet are reputable. Using a back-doored tool, or malicious software, could provide a third party with privileged access to sensitive systems.”

“Then there’s a chance of accidental damage to internal systems,” she explains. “Pentesting can be destructive, particularly when conducted by an inexperienced tester who is unfamiliar with the tools they are using.”

Best practices

However, DIY pen testing is better than no pen testing at all, and there are best practices to ensure it is conducted as safely as possible, says Harrison.

“Firstly, establish a methodology that covers everything from information gathering to injection to logic flow manipulation. This methodology should be based on information from a number of reputable sources. Use the methodology in all testing and be ready to update it when you come across new, useful information or techniques.”

Understand the latest trends and be knowledgeable on what is happening in ‘the wild’, as staying abreast of developments will allow pentesters to adapt their approach as needed. “Also, use trusted automated vulnerability scanners and tools in order to cover the basics of testing and identify any low hanging fruit.”

Next, start working security into the development life cycle. Make sure that all project phases from conception, requirements gathering, design, implementation, testing, all the way through to deployment and, later, decommissioning contain clear and focussed security activities. While these best practices may help, there are definite advantages to using professional pen testers, she says. “A security professional understand the complex and dynamic environment, and is familiar with the necessary tools and environments.”

 

Behind the scenes –  Established in 2003, MWR InfoSecurity is a research-led information security consultancy, with a client list spanning the major world indices and Government agencies & departments. MWR consults with clients around the globe, providing specialist advice and services on all areas of security, from mobile through to supercomputers.

www.mwrifodsecurity.com  – @mwrinfosecurity/@mwrlabs/@mwrphishd/@countercept

mwr6

 

About eBizRadio

eBizRadio is a live multi- platformed social media service providing an online forum to the business community for holding conversations on the key issues related to specific businesses as well as availing a space for cross-business collaboration in response to key issues affecting the world of business. The place to go if you want to know about business and lifestyle
Don't be shellfish...Share on Reddit
Reddit
0Tweet about this on Twitter
Twitter
Share on Facebook
Facebook
0Email this to someone
email
Share on LinkedIn
Linkedin
eBizRadio

eBizRadio

eBizRadio is a live multi- platformed social media service providing an online forum to the business community for holding conversations on the key issues related to specific businesses as well as availing a space for cross-business collaboration in response to key issues affecting the world of business. The place to go if you want to know about business and lifestyle

scroll to top

Login

Please enter the correct answer: *


Register | Lost your password?