Integrity Blog

What are the benefits of a penetration test? Some benefits are obvious, such as finding your network issues before an adversary, but others are long-term and more difficult to measure, such as maintaining a strong reputation for your brand. Cyber criminals can harm an organization in multiple ways, but penetration testing helps prepare businesses to protect against attacks.

1. Securing Data and Systems

Your organization is responsible for valuable data and systems. Whether it be customer lists, trade secrets, credit card information, access to client systems, proprietary code, and/or protected health information (PHI), all are highly valued by attackers. Even if you are not the primary target, you may become a conduit for connecting hackers with desirable data. Vulnerability scanning and penetration testing will help your organization assess the effectiveness of your information security controls designed to protect valued data.

2. Preventing Business Interruption

Distributed denial-of-service (DDoS) attacks utilize compromised systems to overwhelm and debilitate an individual target. These attacks can last anywhere from a few hours to days. During this time customers are without service, and employees are left waiting for systems to restore. A penetration test can help gauge the impact a DDoS attack could have on your business operations.

What would happen if your organization lost access to its computer systems for several hours, or even days? It is easy to get accustomed to performing processes without interruption, but it is important to understand that a data breach could bring your entire business to a halt in a matter of seconds.

3. Protecting Your Brand Image

The out of pocket expenses incurred from a data breach can be costly, but damage to brand image and customer loyalty can be the biggest expense of all. Customers depend on your organization to protect personal and business information, and one negligent misstep can tarnish your reputation indefinitely. Brand trust takes time and energy to develop, but it can be lost in an instant. If customers feel unsafe sharing sensitive information, they stop being customers.

Whether you are required by regulations, clients, or you simply want to be proactive about security, penetration testing provides you with actionable information. The more you know, the better you can protect what’s valuable to you and your clients. Establishing a proactive security approach is integral in the protection of sensitive information.

Interested in Learning the Process?

Penetration testing is very technical and complicated, but it can be broken down into three basic sections. First you have to Detect Vulnerabilities, then you must Determine Exploits, and finally you Defend Against Attacks

Detect Vulnerabilities

Vulnerabilities must first be detected before attempting to exploit them. Penetration testing engagements begin with a vulnerability scan and assessment. This process is designed to identify issues in your network infrastructure and web applications.

Determine Exploits

Once vulnerabilities have been identified, the next step is to exploit them in an effort to understand and identify the extent of the associated risks. Determining the pitfalls of your systems, network, and web applications will allow you to take action against threats.

Defend Against Attacks

Upon completion of the penetration test, Ethical hackers provide technical and executive reports outlining risks and providing recommendations for remediating critical vulnerabilities. The best way to defend against attacks is by correcting weaknesses before an attack occurs.

Understand your weaknesses, and fix them. Successful businesses draw attention from attackers, and it is your responsibility to defend against them.

Penetration testing explained.

Penetration testing may be complicated, but conceptually it is simple to understand. Basically, pen testing is the act of hacking a system to better understand its security weaknesses. In doing so, an organization gains the information needed to begin strengthening or repairing its system(s). This infographic is designed to provide an overview of the penetration testing process; offering a simplified glimpse into a complex process.

Penetration Tester

Hack

Armed with intel gathered from social engineering and vulnerability scanning, the penetration tester begins bombarding the web application (or infrastructure or wireless system) with hacking attempts.

Gather

Throughout the penetration test, information is gathered and risks are identified.

Get Results

The results of the penetration test are prioritized and compiled in an executive report. Risks are labeled and described, and a proposed solution is provided.

Remediate

The report is used by the IT team to guide the subsequent risk mitigation process. At this time IT staff members and developers work to resolve high and moderate risk findings.

Validate

Following the attempt to fix discovered issues found in an external test, the penetration tester will validate remediation efforts. This process will confirm whether or not the remediation was successful.

  • Validated Input
  • Secure Authentication
  • Correct Security Configuration
SIEM Terminology

Security information and event management (SIEM) is a powerful tool that provides a holistic view into an organization’s technology security. To help you better understand SIEM and some of the most commonly used terms, we have provided the following list of definitions.

Device – Generic term for server, firewall, switch, workstation, etc. The term “network device” can be used to specifically refer to devices that interconnect the network, such as firewalls, routers, and switches, but does not refer to servers or workstations.

CMDB – Stands for configuration management database. The CMDB lists all the devices that are reporting logs to the SIEM. Each device in the CMDB displays the health of the device along with the current events per second (EPS). Devices with SNMP or WMI configured can also display numerous performance metrics.

SNMP – Stands for Simple Network Management Protocol and allows the SIEM to pull performance metrics from SNMP enabled devices.

WMI – Windows Management Instrumentation is another service that allows the SIEM to pull performance metrics. Only works on Windows devices.

Performance metrics – Devices configured with SNMP or WMI display various metrics, such as memory utilization, installed software, and uptime. Having SNMP enabled also allows the SIEM to pull metrics such as interface utilization, running software, and hardware information.

Syslog – Logging standard that allows devices to send their event logs to a logging server.

Event – An event is one entry of the log file that a device sends to the SIEM. A logon failure or a denied connection are examples of events.

Rule – The SIEM parses out attributes from events and correlates the logs with other devices on the SIEM. The logs are run against rules, which look for a pattern of events matching specified criteria. When a pattern is discovered, an incident is triggered.

Incident – An incident is a unique instance of a rule. Incidents provide the definition of the rule and the events that triggered the rule.

Ticket – Incidents create tickets, which enable analysts to review incident information. Once reviewed, analyst are able to make a decision whether or not a customer needs alerted.

Exception – An exception adds a condition to a rule to prevent it from triggering when specific conditions are met. For instance, a vulnerability scanner that runs regularly would generate an excessive amount of tickets even though the traffic is legitimate. An exception would be added to reduce the rate of false positives created by the vulnerability scanner.

False positive – A false positive is when a rule triggers that doesn’t represent a true security incident. See for a more in depth look at false positives.

EPS – Events per second that a device sends to the SIEM. Changes in EPS may indicate that a device needs to be checked for configuration or security issues.

Blocklist/blacklist – A list of hostnames, IPs, etc. that are blocked from network access. Typically, IPs are blacklisted to prevent users from accessing malicious websites or to prevent known malicious IPs from connecting to the network.

Whitelist – The opposite of a blacklist. Instead of blocking certain IPs, it allows access from specified IPs and blocks all others.

STM – Synthetic Transaction Monitoring (STM) monitors the availability of certain services, such as email servers or websites.

Discovery – A discovery is a process that searches for devices on the network. It attempts to resolve a host name and uses configured credentials to initialize monitoring for certain protocols.

Still have more SIEM questions? If so, contact us, and we will help answer them.

Interested in reading more?

SIEM Articles and Information
Get our blog posts delivered to your inbox: