Most managers are happy with their decisions to invest in basic cyber security readiness measures such as strengthening their IT systems, periodic training, and updated policies and procedures, including incident response plans in case of a breach. However, while these defensive strategies are necessary, they are not sufficient to protect your organization!
With the increase in middle market cyber breaches, hacker sophistication, and diversification of threat vectors, companies must incorporate offensive security strategies into their cyber and information security programs. Managers need to better understand the nature of potential threats and leverage available tools and techniques that mimic the potential harm hackers can cause – in an ethical and predictable manner – to better test and validate their defenses.
Penetration testing, frequently referred to as pen testing, is one of the most common types of offensive security exercises. A pen test can target computing elements ranging from physical and wireless networks to machines on the system or business critical applications. The goal of a pen testing simulation is to discover some of the potential vulnerabilities that a hacker can take advantage of in order to infiltrate critical systems and applications.
Pen testing can be broken down into several categories – White Box, Grey Box, or Black Box –based on the level of background information provided to the tester. In a White Box approach, the tester is provided with extensive information in regards to potential targets, including internally known system configuration, and the goal of the exercise is to focus most of the tester’s effort on exploiting vulnerabilities rather than performing host enumerations and vulnerability scanning.
In a Grey Box approach, the tester is provided with a bit less information, such as the specific hosts or targets, to see how a targeted attack might transpire. In a Black Box approach, the tester is provided with minimal information, such as only the company name, to attempt a system penetration similar to that which a hacker unfamiliar with the company would try to accomplish.
Companies that have done basic defensive work, such as conducting a baseline risk assessment, should consider conducting a pen testing exercise on an annual basis. The type and approach of the pen test to be performed will depend on the company’s IT security maturity level and recent changes or events impacting their environment.
Offensive cyber security strategies will not eliminate all risks from an attack but are extremely valuable in reducing the possibility of such attacks through a continuous state of readiness. Like any good sports team, defense can only take you so far. Strong offensive capabilities are imperative in order to achieve a winning streak!
Sassan S. Hejazi can be reached at Email or 215.441.4600.
You may also like: