Today, it is hard to find a business that is not in some way connected to the Internet and cyberspace. The expanding role of cyberspace has created new business opportunities for organizations that were simply not possible just a few years ago. Further, cyberspace is ubiquitous with no geographic boundaries. This opens the door to customers all around the globe.
Unfortunately, the same cyberspace used for lawful commerce and business automation provides a surface of attack for criminals. A growing number of individuals and groups are using cyberspace to unlawfully duplicate, distribute, or destroy confidential electronic information. The target data includes financial reports, employee salary, customer lists, passwords, trade secrets, marketing plans, identity information, and payment card numbers. This data has become a form of currency in some cases.
This currency is in an electronic format that a traditional safe or lock cannot adequately protect from theft. Physical and logical controls that had protected this data in the past can now be circumvented with just a few careless clicks on a website or a phishing email. The source of the threat might be half way around the world. Physical proximity is not required for cybercrime. Criminals have learned to use cyberspace to target businesses in countries of other jurisdictions, making law enforcement much harder.
In a 2017 study conducted by Corporate Board Member & FTI Consulting, Inc., nearly 500 corporate directors and general counsel were surveyed (FTI, 2017). Survey results showed managing Cyber Risk as a top concern. According to Thomas Brown, Senior Managing Director in the FTI Consulting Global Risk & Investigations Practice,
“Cyber risk’s pervasive nature presents an existential threat to the operation, reputation and bottom line of virtually every company, regardless of industry. The priority that board members and general counsel place on cyber security and data protection not only reflects this reality, but is entirely in line with our experience assisting clients to address this threat.”
The reason for this concern is there are several business direct and indirect losses associated with cybercrime and data loss. Direct losses include professional services fees (e.g., attorney fees, public relations services, temporary call center services, forensic experts, auditors, temporary IT staff augmentation, consumer credit monitoring, etc.), asset replacement (e.g., archiving tape replacement, Point-of-Sale hard drives, consumer credit card replacement, etc.), logistics (e.g., travel and living expenses for incident response teams, shipping expenses, consumer mailings, etc.), fines, business continuity expenses, and new security controls necessary to prevent future attacks of similar method (e.g., new firewalls for additional segmentation, new intrusion prevention technology, website coding changes, software updates, security patch deployment, etc.).
Indirect losses can also be significant including drop in revenue, missed business opportunities, delayed project and product rollout, increased vendor service fees (e.g., credit card payment processing fees, future auditing services, etc.), security awareness and technology training, and additional recurring operational expenses to sustain new security controls. In the 2012 report “Measuring the Cost of CyberCrime” (Anderson, 2012), the hidden costs of cybercrime, including defense and indirect costs, exceed that of direct costs. Unfortunately, many of these direct and indirect expenses are unplanned and not in budget. These events can have a negative impact on an organization’s cash flow, liquidity and brand.
In addition to financial impact, cyber breaches can cause broad collateral damage to members of a victim organization. First responders, forensic experts, IT staff, legal counsel, call centers, human resources, and management can be consumed by the commitment of time and effort associated with data breach response. Further, a cyber breach can cause major organizational shake-ups and impact the career of business leaders. History shows that CEO, CFO, and CIO are not immune to the fallout of a data breach incident. For these organizational leadership roles, the response to the cyber breach is as important as the prevention efforts prior to the breach.
Cyber breach prevention (defense) is commonly associated with IT and Security. In many cases, organizations also assume that response to a cyber breach is substantially an IT or Security function. Though they both serve a key role, a data breach demands a planned response coordinated across many internal teams including Finance, Legal, HR, PR, IT, Commercial Operations, Customer Service, Finance, and Vendor Management, as well as external teams including law enforcement, state attorneys, regulators, vendors, media, and consumer advocacy groups. Leading all these teams during a crisis might not be the domain of responsibility for IT. Further, IT might be fully engaged in the technical demands of the incident handling that there is limited capability to perform other crucial duties.
Many organizations will conduct a penetration test because they may suspect or know that they have already been hacked and now want to find out more about the threats to their systems so that they can reduce the risk of another attack. Conversely, an organization may also be proactive and want to know in advance about any threats that face their organization as a whole or a new system before it goes live.
Hitachi Systems Security’s Penetration Testing service goes beyond the limitations of automated scanning and instead provides you with an understanding of real-world risks posed to your organization from the perspective of an attacker. A prioritized risk rating takes multiple business-driven criteria and maps them to your business objectives. Our technical security tests and penetration testing services help you protect your corporate and customer information, comply with industry and government regulations, and preserve your organization’s integrity and reputation.
Developing a detailed threat profile, provides organizations with a clear illustration of the threats that they face, and enables them to implement a proactive incident management program that focuses on the threat component of risk.
Organizations are facing new types of advanced persistent threat (APT) scenarios that existing risk management programs are not able to evaluate completely and incident management programs are not able to defend against. Customizing a framework on how to gather threat related information so that detailed threat profiles that include APTs can be developed for organizations is critical.
These threat profiles can be used by an organization’s risk management team to record information about threat actors, scenarios, and campaigns that may have been launched against them. The threat profiles will provide incident management teams with threat intelligence information that they can use to analyze individual threat scenarios or threat scenario campaigns and enable them to anticipate and mitigate future attacks based on this detailed knowledge about the threats.
Penetration Tests are carried out by employing the same techniques as an attacker located outside your infrastructure and verify if your servers or applications will resist hostile attacks and if the identified vulnerabilities can lead to further intrusion and exploitation. This is performed as a confidential partnership, according to an agreed-upon scope and without revealing any information about your environment.
The steps performed during a penetration test include:
For many organizations the foremost benefit of commissioning a penetration test is that it will give you a baseline to work upon in order to mitigate the risk in a structured and optimal way.
A penetration test will show you the vulnerabilities in the target system and the risks associated to it. An educated valuation of the risk will be performed so that the vulnerabilities can be reported as High/Medium/Low risk issues.
The categorization of the risk will allow you to tackle the highest risks first, maximizing your resources and minimizing the risk efficiently.
Business continuity is usually the number one security concern for many organizations. A breach in the business continuity can happen due to a number of reasons. Lack of security is one of them.
Insecure systems are more likely to suffer a breach in their availability than secured and hardened ones. Vulnerabilities can very often be exploited to produce a denial of service condition which usually crashes the vulnerable service and breaches the server availability.
Penetration testing against mission critical systems needs to be coordinated, carefully planned and mindful in the execution.
Penetration testing is an effective way of ensuring that successful highly targeted client-side attacks against key members of your staff are minimized.
Security should be treated with a holistic approach. Companies only assessing the security of their servers run the risk of being targeted with client-side attacks exploiting vulnerabilities in software like web browsers, pdf readers, etc. It is important to ensure that the patch management processes are working properly updating the Operating System and third party applications.
A security breach could affect not only the target organization, but also their clients, partners and third parties working with it. Taking the necessary actions towards security will enhance professional relationships building up trust and confidence.
The compliance section in the ISO 27001 standard requires managers and system owners to perform regular security reviews and penetration tests, undertaken by competent testers. PCI DSS also addresses penetration testing to relevant systems performed by qualified penetration testers.
A snapshot of the current security posture and an opportunity to identify potential breach points. The penetration test will provide you with an independent view of the effectiveness of your existing security processes in place, ensuring that patching and configuration management practices have been followed correctly.
This is an ideal opportunity to review the efficiency of the current security investment. What is working, what is not working and what needs to be improved.
A good PR and brand position built up during years and with considerable investment can be suddenly change due to a security breach. Public perception of an organization is very sensitive to security issues and can have devastating consequences which may take years to repair. Obviously Yahoo, Chipotle, Target and many others have experienced data breaches and in these as well as most other cases, traditional perimeter defenses were used and the latest security technology employed, however, hackers and the malware they develop are clearly a step ahead at this point.
Penetration tests have become the primary tool to definitively gauge an organization’s security posture or security maturity and to understand from a hacker’s point of view where the vulnerabilities lie in the organizations and if exploited, what damage can be done. However, like a check-up, periodic test or service, the quality of the professionals, in this case a red team, ethical hackers, or IT security professionals are critical to delivering results and recommendations geared to improve the organization’s defenses.
If you Google “Penetration Testing” 8 million results are displayed, so as you can imagine not all penetration tests are conducted in the same manner with the same quality and recommendations. A quality penetration test should not only test the vulnerabilities of the systems, but also deliver a detailed gap analysis with recommendations concerning where to invest to fortify weaknesses and how to improve overall IT security maturity.
Our recommendation is to be certain that the penetration test methodology and subsequent insights should provide you with a baseline from which to improve and subsequent, periodic penetration tests should measure and confirm the progress your organization makes toward implementing a cost effective security posture from a risk management standpoint.