If the stories about breaches that have littered the headlines over the last few years have taught us anything, it’s that no business is too big or too small to be an attractive target for cyber criminals. One of the biggest fallacies about small and medium enterprises (SMEs) is that they are too small to reach the attention of cyber criminals. In fact, research suggests that as many as three out of five hacks target SMEs these days.
Because SMEs handle a lot of sensitive and proprietary data, such as credit and debit card numbers, they are enticing targets. Couple this with the fact that they lack the resources of their enterprises, counterparts, so that their security is often inadequate, making them low hanging fruit for organised gangs of cyber crooks.
Due to the nature of today’s advanced threats, where it takes up to several hundred days to discover that a breach has occurred, SMEs would be wise to make sure they have not already been compromised. One way of doing this, is through penetration testing.
MWR Infosecurity’s Caitlin Harrison, says because pentesting is not an exact science, there are no hard and fast rules that can be applied to determine when it would be most beneficial. “In general, any application, website, host, service or network in an organisation where someone could benefit from interfering with or manipulating its normal functionality, will require some level of security assessment.”
Any component that is critical to daily business operations or could substantially affect its ability to do business should be pentested before it is deployed, she adds. “Provided a small business is careful when they conduct a pen test, they are likely to benefit from testing their systems and components internally.”
The dangers of DIY
However, Harrison says adopting a DIY approach to pen testing is not without its dangers. “Firstly, there is the danger of insufficient testing. Security is a broad and dynamic field. Without exposure to multiple environments, platforms and configurations, a pen tester may lack the necessary exposure and experience to ensure that their assessment covers all of the relevant attack vectors.”
Moreover, she says penetration testing is about assessing how an application responds to unexpected input and unusual interactions. “Someone who has been involved with the development or deployment of a system will have preconceived notions as to how someone is supposed to use the system. This could prevent them from identifying crucial attack vectors.”
Next, she cites a false sense of security. “Penetration testing is intended to give a view of the overall security posture of a system component and an idea of what level of risk using that component might expose the business to. A DIY test might not be thorough enough to give a true indication.”
Unsafe tools can also be a problem. “Not all the pentesting tools available on the internet are reputable. Using a back-doored tool, or malicious software, could provide a third party with privileged access to sensitive systems.”
“Then there’s a chance of accidental damage to internal systems,” she explains. “Pentesting can be destructive, particularly when conducted by an inexperienced tester who is unfamiliar with the tools they are using.”
However, DIY pen testing is better than no pen testing at all, and there are best practices to ensure it is conducted as safely as possible, says Harrison.
“Firstly, establish a methodology that covers everything from information gathering to injection to logic flow manipulation. This methodology should be based on information from a number of reputable sources. Use the methodology in all testing and be ready to update it when you come across new, useful information or techniques.”
Understand the latest trends and be knowledgeable on what is happening in ‘the wild’, as staying abreast of developments will allow pentesters to adapt their approach as needed. “Also, use trusted automated vulnerability scanners and tools in order to cover the basics of testing and identify any low hanging fruit.”
Next, start working security into the development life cycle. Make sure that all project phases from conception, requirements gathering, design, implementation, testing, all the way through to deployment and, later, decommissioning contain clear and focussed security activities. While these best practices may help, there are definite advantages to using professional pen testers, she says. “A security professional understand the complex and dynamic environment, and is familiar with the necessary tools and environments.”
Behind the scenes – Established in 2003, MWR InfoSecurity is a research-led information security consultancy, with a client list spanning the major world indices and Government agencies & departments. MWR consults with clients around the globe, providing specialist advice and services on all areas of security, from mobile through to supercomputers.
www.mwrifodsecurity.com – @mwrinfosecurity/@mwrlabs/@mwrphishd/@countercept
- COVID, a key catalyst for collective philanthropy |#PayItForward |#IPASA - October 20, 2020
- Do you have the mental endurance to do this thing called life and business |#LTC | #KevinBritz | Cobus Visser |#Coaching |#Podcast |#ebizradio - October 20, 2020
- Syncrony’s GreenLine adds trust to the bottom line | #eBizWires - October 20, 2020
- CORONAVIRUS: COMPLACENCY IS SOUTH AFRICA’S BIGGEST CHALLENGE | #eBizWires - October 20, 2020
- Parenting digitally connected children |#OneEyedMan |#MikeStopforth | Dean McCoubrey |#digital |#ebizradio - October 19, 2020
- From a truck helper to the head of Sales |#LTL |#KevinBritz | Naomi Basson | Romeo Langenhoven | #Leadership | Coca Cola South Africa |#Podcast - October 19, 2020
- Hussling on the side: How Moonlighting became the new normal | #eBizFinance | Sylvia Walker | Podcast - October 19, 2020
- Unpacking Data Skills and Literacy from a RSA context | #eBizInsights| Alan Browning of Atvance Intellect |Podcast - October 19, 2020
- The African Hotel Industry; Pre and Post Covid | #eBizInsights| Brett Hoppe |Podcast - October 16, 2020
- Do we stop and ask WHY? |#LTS |#CandidConversations |#KevinBritz | Lauren Britz |#Podcast - October 16, 2020