Account Executive at Velocity Tech Solutions, Inc.
Let’s face it. You cannot turn on any major media outlet today without hearing about “hacking.” Whether it’s alleged hacks to affect an election, to attempt to take over a power grid, to steal health care records and information, or simply for someone to fill up their gas tank on your dime through simple identity-theft level hacking – cyber security is an issue for everyone everywhere!
We read about biometrics and dual authentication for everything from a POS purchase to
logging into a mobile device for work. This is being done for good reason. (Keep in mind, that some of the most embarrassing and comprehensive hacks tend to go unreported.) Even the “alleged” hack of the Central Bank of Russia, which of course took place during an “unspecified date of 2016” paid an alleged bounty of approximately $31mm USD to the attackers.
We read about terms like a “mega breach” where accounts are hacked in the tens of millions of users for applications such as Dailymotion which is of course much more pertinent to my friends using Android Apps or Google Play for video sharing sites such as Dailymotion (82.5 million users compromised in 2016.)
We read about these breach events weekly, and yet many of us do nothing because we do not know where to begin.
Even if you are in a current contract with a firm that is monitoring your network, or you have created on site, providing 24 hour active monitoring [with real, living, breathing humans in a SOC in addition to AI and automation and scanning etc.] it would be well worth your time to, at a minimum, have another party perform an External Pen Test to ensure that you are getting the level of protection that you are purchasing. This is also highly relevant to industries that are the most highly regulated (ie. HIPAA, NCUA, FDIC, GLBA, FFIEC, etc.) and must avoid any potential threat of impropriety or conflict of interest.
So, how does it work? For those of you who already know, contact me for a quote.
For everyone else, begin by gathering a quote from a trusted expert/vendor. They should quickly and easily be able to provide you the cost and timeline for what type of expense would be involved in a quick external pen test. Many of these firms should specialize in ethical website hacking and other cyber security issues such as documentation/policy writing, social engineering and employee awareness training.
In other words, you want to work a firm who specializes in Cyber Security. It must be their focus, and not something they offer “on the side” or “as a service.” If they work with a third party, be sure that this is disclosed up front. Any reputable company will proudly mention the name of their trusted partner.
You’ll need to provide the amount of Public IP addresses you have. They will then get you a quote. Should you come to agreement on pricing and choose to
proceed with the test – this is where things get exciting!!!!!!
Growing up, we watched Spy vs Spy, Get Smart, James Bond, Burn Notice, Alias, Hackers, Nikita, The Matrix, Mission Impossible, The Net, or any other series/movie where anything from espionage to hacking are the goal. Imagine you’re an ethical spy/hacker. This generation has Elliott, a cyber-security engineer by day and vigilante hacker by night (“Mr. Robot”) to show us how the underbelly of our society and the dark net operates. When you perform your pen test, you can assume your favorite persona to investigate your network.
What the penetration test will provide is a combination of the following:
Discovery – security analysts will gather and analyze information about your company. They will thoroughly test and identify all internet entry points while they prep for enumeration.
Enumeration – here analysts identify targets which were identified during the discovery phase to determine what type of host connection (i.e. web server, firewall, router, etc.) and operating systems (version and patch level) are in use.
Automated Scanning – security analysts use a myriad of tools to determine which potential vulnerabilities to exploit. Discovery and Enumeration phases allow the analysts to dial in the scanning tools to target their efforts, improve feedback, and rule out unnecessary scanning.
Intrusion Analysis – this is where the analysts provide the lion-share of their efforts. All results are collected to help you design a network attack plan. Scanning results are verified so false positives are ruled out and false negatives are explored. Breaches of your network’s defense system are also analyzed and a mitigation process is developed.
Results – For many companies, something such as a simple patch download will suffice to repair a chain of vulnerabilities. However, more often than not, the solution is more complex. Based on what findings are presented in your report, you will now have the knowledge on HOW to protect your network against malicious hackers outside your network perimeter.
An External Pen Test gives you a starting point. We all know we are vulnerable, but many of us lack the knowledge of where we are vulnerable. Schedule your quote today to review actual steps you can take to better protect your network for 2017.
Next topic: Internal Testing and Vulnerability Assessments from within your network.