Integrity Blog

A thorough penetration testing campaign involves social engineering, vulnerability scanning, and the manual hacking of computer systems, networks, and web applications. Follow this infographic to learn more about the various elements of a complete penetration test.

Follow the path of a penetration test with this insightful infographic.

Social Engineering - The hacking of humans

Phishing

Phishing is the process of crafting emails that appear to be from a trusted source and typically invite the recipient to either supply confidential information or click on a malicious link or attachment.

Pretexting

Pretexting involves the use of telephone calls to either obtain information or convince the user to unintentionally perform a malicious action. This is one of the most commonly used forms of social engineering.

Dumpster Diving

If not properly discarded, sensitive information may be discovered by hackers in waste receptacles and dumpsters.

  • Printed emails, expense reports, credit card receipts, travel information, etc.
  • Network or application diagrams, device inventory with IP addressing, etc.
  • Contact lists, notebooks, binders, or other work papers containing sensitive information
Facility Access

Hackers may rely on a physical approach to complement their technical attacks.

  • Piggy backing: A hacker’s method of entering a facility with a group of employees or maintenance workers
  • Identifying unsecure areas: Hackers search for loading docks, maintenance entrances, designated smoking areas, or other locations that may not be well secured.

Vulnerability Scanning - Discover of weaknesses

Network Security Health

Vulnerability scanning is an automated process that utilizes tools to seek known security vulnerabilities in your systems. Scans are used to assess your company’s network security health and provide insight into risks that may directly impact your organization.

Penetration Testing - Manual exploitation

Proactive Security

Penetration testing is a proactive approach to discovering exploitable vulnerabilities in computer systems, networks, and web applications. Manual penetration testing goes beyond automated scanning and into complex security exploitation. Gaining a thorough understanding of vulnerabilities and risks enables the remediation of issues before an attacker is able to interrupt business operations.

Web Application Penetration Testing

Web applications often process and/or store sensitive information including credit cards, personal identifiable information (PII), and proprietary data. Applications are an integral business function for many organization, but with that functionality comes risk. Penetration testing provides visibility into the risks associated with application vulnerabilities.

Network and Infrastructure Penetration Testing

Infrastructure penetration testing identifies security weaknesses within your network, as well as the network itself. Testers search to identify flaws such as out of date software, missing patches, improper security configurations, weak communication algorithms, command injection, etc. Infrastructure penetration tests often include the testing of firewalls, switches, virtual and physical servers, and workstations.

Wireless Penetration Testing

Wireless capabilities can provide opportunities for attackers to infiltrate an organization’s secured environment - regardless of certain access and physical security controls. Wireless pen testing provides a map of access points in the wireless landscape. After gaining access to the wireless network, penetration testers attempt to exploit weaknesses in the network to gain access to privileged areas and demonstrate the potential impact of a wireless network breach.

Reports - Executive and technical

Penetration testers perform assessments, interpret the results, and provide reports for the tested organization.

Reports should function as a guide; providing valuable information that prompts action.

Nearly every business has a web application or a mobile application to allow a rich customer experience or provide employee workplace flexibility. Customers and employees can use these tools from any device, anywhere on the planet to interface with your most sensitive data. Most of the critical information a business deals with today is accessible via the internet in one fashion or another.

Just 10 years ago, most of this data was locked up in a data center surrounded by firewalls, barbed wire fencing and security guards. You had to be physically present to access it. Today, however, this isn’t the case. We’ve greatly expanded the availability of this data. And that’s a good thing. It has enabled an entirely new way to do business. It has fostered innovation and flexibility.

One thing that hasn’t changed with the times is how we log activity in this new and ever expanding world of access. These web applications and mobile applications in many cases don’t keep sufficient records of authentication successes and failures, data that was accessed, changes made to configurations or data, abnormal input, excessive report requests and similar activity.

This information is extremely necessary. Previously, security of data was ensured by securing the physical location and the infrastructure the data was stored or processed on. Now, that infrastructure is largely an unknown entity. Data owners have no idea if the infrastructure their data is being accessed from is secure or not. This makes tracking access to the data that much more important. Understanding how data is being accessed, from where, by whom and how it is being used must be the new information security model.

Application event logging must become more robust in order to identify the threats against the data from sources no longer under your control. You can’t rely on anti-virus tools to protect data on systems you don’t own. Data owners need to track and monitor data security more than ever before. As with all event monitoring, don’t just look at this as a security tool though. Think about the operational intelligence you can get from understanding more about usage trends in general. Knowing when data is being accessed the most, from what location, language and device type could provide insight into new market opportunities you never knew existed.

Information security event logs are critical for ensuring the confidentiality, integrity and availability of critical systems and data. However, when big data techniques are applied to this data, a whole new wealth of knowledge can be gained to help drive your business further.

Read more on event log monitoring

IT Vendor Management has gotten a lot of attention lately due to the increase of organizations outsourcing technology services. Although vendors often provide a lot of value to organizations, there can be a high level of risk associated with them. A recent survey conducted by Bomgar shows 69% of respondents said they definitely or possibly suffered a security breach resulting from vendor access within the last year.

If you’re part of a large organization that doesn’t already have an established vendor management program, your head is probably spinning thinking about all the different vendors you use and how to assess them. Even in smaller companies it can be an overwhelming task. It takes time to mature a vendor management program, so take a deep breath and follow these steps to get started.

1. Identify Vendors

If a vendor list has never been created or maintained within your organization, identifying your IT vendors can feel like a daunting task. Make sure to work with a representative from each business unit or department, and ask them to prepare a list of their IT vendors and a short description of the type of service being provided. If you are part of a large organization, it is best to start with critical IT vendors.

If you answer YES to any of the following questions about a vendor, they should be added to the critical list.

  • Does the vendor have access to your organization’s network or systems?
  • Does the vendor have access to your organization’s data?
  • Does the vendor have access to Personal Identifiable Information (PII), Personal Health Information (PHI), etc.?

2. Prioritize Vendors

Once you have identified your IT vendors and categorized them based on their access level, it is time to think about the criticality of the service they provide. If their services became unavailable to you, how would that impact your organization? How long could your organization continue doing business without their service? Your vendor’s ability to respond to a crisis or disaster may have a direct effect on your organization’s business continuity efforts. Prioritize your list of vendors to match their importance to your business operations.

3. Create a Schedule and Process

Most organizations don’t have the time or resources to audit all of their IT vendors at one time. Create a schedule to extend the efforts over the course of a year. From your prioritized list, create a timeline that outlines which vendors you are going to audit and when. You may start with only 2-3 vendors a month, and that is okay.

The second part is to create a process and a plan that includes at a minimum the following:

  • Establish the owner of the vendor relationship. This individual is responsible for communicating with the vendor, collecting the information, staying on schedule, etc.
  • Understand the type of information you will be requesting. This could be compliance/security reports or your organization may require the vendors to complete a security questionnaire.
  • Know where the information will be stored. Designate a central repository for all information pertaining to that vendor. This helps to keep the assessment organized and allows the process to go much quicker and smoother.

4. Track & Monitor Vendors

It is likely that you will identify a vendor that does not have adequate safeguards in place to properly protect your organization. However, if the vendor has an acceptable remediation plan for the gap, and your organization has decided to continue to use their service, it’s imperative to track the progress and ensure the gap is resolved in a timely manner. Vendor management is an ongoing process. Some gaps can take months to resolve, so having a process in place to track them will help immensely.

These steps give you a high level overview of auditing your vendors. Critical IT vendors should be audited on at least an annual basis to ensure their security is continuing to grow with new and evolving threats. Keep in mind, it takes time to mature a vendor management program and it’s impossible to eliminate all risk from your vendors, but there are ways to manage it. I’m sure you’ve heard the saying, “you’re only as strong as your weakest link”. Cliché I know, but your organization really is only as secure as your vendors. Just ask Target and Home Depot.

Reference: https://www.bomgar.com/assets/documents/Bomgar-Vendor-Vulnerability-Index-2016.pdf
Get our blog posts delivered to your inbox: