- December 29, 2020
- Catagory Security
Penetration testing must be proactive, but many organizations often do theirs in response to an incident. Since the worst time to learn how to fight a fire is amid an inferno, the right security partner can help create an effective program to ensure regular testing that improves cybersecurity posture.
Before you even select a security partner for network penetration testing, you should set up guidelines for what might prompt such a test—and it’s not an emergency such as a data breach. Instead, think of milestones within the organization that might require a test of your information security. Aside from compliance obligations, common examples include a new web-based application that allow employees to access data remotely, a desktop or operating system refresh, or new network access points such as routers.
All these potentially can be misconfigured and present vulnerabilities that may not be immediately obvious to internal IT teams, who already have a lot on their plate.
Get a second security opinion
A security partner with deep and extensive penetration testing capabilities has experience that enables it to poke holes in information security and find vulnerabilities their customers won’t. It’s their business to be up to speed on the misconfigurations and current threats, including those in the latest software and hardware that might allow a threat actor to steal data or take control of a system.
An outside security partner can put together a penetration testing plan that considers your infrastructure, including new switches and servers, as well the motivations for doing the test: Is to meet compliance objectives? Satisfy a potential customer? Meet industry standards? If you’re not sure why you’re doing penetration testing but do understand it should be part of your information security program, a partner can help you understand the benefits.
Partner for the long term
Just as all penetration tests are created equal, neither are security partners who perform them, so you need clear selection criteria.
Ideally, you want partner with an organization over the long term, so you should take the time to evaluate the methods of a potential service providers, as well as the skill sets of the testers they employ. Understanding your compliance requirements to guide penetration testing is a good start, but you should work with your security partner to define your goals and make sure their capabilities are in alignment with them.
You also need to be prepared for them to find problems—set your ego aside. The whole point of penetration testing is to be able remediate problem areas and improve your overall security posture. Most of all, remember that testing shouldn’t be an occasional, scheduled, tactical activity to tick off boxes on a compliance checklist. It’s part of a broader exercise for protecting sensitive data and is a contributor to your competitive advantage—documenting and certifying your penetration testing can differentiate you in your industry and build trust and credibility with customers.
The right security partner can help you develop a penetration testing regime that’s driven by milestones in your IT environment as well as compliance requirements and critical business information that allows you to remediate threats iteratively and effectively.
- November 26, 2020
- Catagory Security
With security threats to organizations only increasing and privacy legislation continuing to evolve, penetration testing remains a critical tool for protecting sensitive data.
And as endpoints multiply thanks to an increase in remote work, there’s no airtight network perimeter, which makes it all the more difficult for organizations to safeguard sensitive data. For it to be effective, penetration testing must be done properly, and it’s more than evaluating network security. It must be viewed holistically as part of your broader information security program.
Most of all, penetration testing should be more than a box that gets ticked once or twice a year to meet compliance obligations, and it should tap the outside expertise of partner that can put your people, processes and technology through their paces.
Endpoints raise risk
With an exceptionally high number of employees working remotely, the threats posed by endpoints to sensitive data must not be underestimated, whether it’s smartphones, laptops and IoT devices, many of which reside outside the main firewall. One of the most common mistakes is assuming that spending a lot of money on software and hardware will automatically protect sensitive data, but you must also account for human behavior.
Having newer hardware with the latest operating system can mitigate risk, but even the latest greatest fleet of workstations will bring with them their own built-in vulnerabilities. These must be identified and managed based on how they are deployed and the cybersecurity awareness of the end user. This is especially true as more employees work from home—there are many ways to access data and applications that don’t involve hacking a network. All it takes is one poorly configured web portal to open access a domain to threat actors so they can take complete control infrastructure.
These same threat actors take advantage of human behavior as users fall for convincing phishing emails. They also exploit vulnerabilities in software and hardware that are often the result of a convenient feature by using botnets to scan for them even as most organizations are oblivious that they’re even at risk.
And if you think you’re not worth hacking because you’re a small organization, think again. Hackers see you as easy targets because they know you’re less likely to have the security technology, resources and best practices that larger organizations may have. The good news is that as a smaller organization you’re more nimble and agile so you can adapt and more quickly benefit from penetration testing.
Testing should be proactive
Not all penetration tests are equal, and ideally, they should be done before a breach, not after you’ve lost sensitive data.
Rather, you should identify milestones that would necessitate a test of your network security. A trigger might be a workstation refresh or major operating system update as they can often be configured in such a way that unwittingly opens door that can be entered by threat actors. And while compliance obligations should inspire penetration testing, it should be more often than an annual exercise to please regulatory bodies.
Because effective penetration testing takes a great deal of skill and expertise and can take time away from regular IT operations, tapping the expertise of an experienced service provider who can poke holes in your security and will find vulnerabilities goes a long way to protecting sensitive data. They’re up to speed on the misconfigurations and evolving threats that might let someone sneak in, as well as the common mistakes made when configuring enterprise networks and remote worker access.
If you want to truly protect sensitive data, take the results of any penetration testing seriously, even if it might reflect badly on your efforts today. You’ll be better off the in long run. Protecting sensitive data is an exercise in continuous learning that mitigates risk, and frequent penetration testing is a contributor to competitive advantage as it enables you to build trust and credibility with your customers while maintaining compliance.
Sanjeev Spolia is CEO of Supra ITS
- September 29, 2020
- Catagory Security
Many people have hit the six-month mark of remote working, while most of us are fully adapted, there also continues to be bad people around the world taking advantage of the new work-from-home reality.
For remote workers, it means to continuing to be vigilant about security as part of their daily work habits, while organizations as a whole must do their part to protect their themselves by employing cybersecurity best practices to thwart persistent threat actors.
If you’ve also experienced a security-related issue, don’t take it personally. You’re not alone. Even the World Health Organization (WHO) released a special statement warning against scammers purporting to be “official” communications. Having helped our customers for several months to facilitate remote work, we have seen an increase in security issues targeting end-users and organizations since the transition.
As always, we’re available for our customers and are support team is ready to assist with specific issues or helping with proactive configurations to help you shore up your security and optimize the remote work experience for employees.
Personal device use precautions
Ideally, remote workers should be using a company-issued workstation, but if that isn’t possible, be sure they’re taking the following steps to secure their laptop or workstation:
Ensure the PC is patched: Work through the Windows update process and install anu patches, especially if it’s been more than a month since the last update was done.
Install an anti-virus solution: Supra’s service desk can assist you in identifying and installing a software package that will meet your needs.
Lock the PC when not in use: Ideally, the workstation should be turned off when not in use, but at least lock the screen and disconnect from any VPN sessions to the corporate when not working. If the PC is shared with family members, configure a private user account protected by a username and password so that any work sensitive materials will not be shared amongst the family.
If you must use a home computer, try to separate personal use from business use and limit access to personal emails, downloading content, social media and other avenues of malware that could spread while using a personal device work purposes.
Good advice regardless of device
Whenever possible, you should use the workstation supplied to you by your office if you have one because they are typically configured with usernames and passwords, as well business-class security protection tools such as anti-virus software. Supra customers will have installed agents to assist with technical support and security monitoring.
Remote access sessions, whether it’s through a VPN or a remote desktop tool, should only be active while you are using them. If you’re stepping away from your workspace for a bit or finished remote work for the day, disconnect those tools.
As always, be wary of unsolicited emails or attachments from anyone, even if it’s from a work colleague, business associate, customer, vendor or external contact. Verify the authenticity of the communication prior to clicking on any link or opening any attachment, as email remains a popular method compromising systems.
And now for good news
Even though we’ve seen an increase cyber threats, Supra hasn’t seen any targeted attack against our customers, or our company in general. Most attacks that do happen are opportunistic and take advantage of a trusting user accessing a site or clicking on an attachment that looks legitimate, which means following best practices can go a long way to ensuring security for your organization as remote work continues to be the norm.
If you would like to explore other ways Supra can increase overall corporate security or improve collaboration amongst remote workers, get in touch and we can speak to you about the various options available.
Justin Folkerts is Supra ITS’ Chief Technology Officer