Cyberattacks are a known threat in today’s IT environment. As InfoSystems leaders and technicians stress, the question isn’t if it will happen but when it will happen. Pen testing is one tool that enables leaders to strengthen cybersecurity within their company and go on the offense against potential hacks.
Cybersecurity threats make headlines on a regular basis, including the December 2020 SolarWinds attack that affected more than 100 private companies and nine federal agencies and the more recent Microsoft Hafnium attack that left tens of thousands of organizations compromised. The pandemic may have accelerated some attacks and increased threats as employees work remotely, potentially exposing a company’s private data and networks.
Going on the Offense
As company leaders and CIOs evaluate the evolving threat landscape, a trusted cybersecurity expert can serve as a useful asset in taking an offensive stance, proactively identifying vulnerabilities and addressing them to reduce risk.
Through penetration testing, commonly known as pen testing, businesses can best understand potential vulnerabilities. This simulated cyberattack arms companies with knowledge of security gaps in a controlled environment.
“Pen testing takes a company on the offense,” says Fred Cobb, Executive Vice President and Chief Information Officer at InfoSystems. “Pen testing acknowledges that any cybersecurity defense can possibly be breached. Any network can be penetrated — but what will you do about it?”
Most security flaws occur during software development and implementation, through email phishing scams, and possible design or configuration errors. As Cobb says, pen testing doesn’t catch everything. But it can strengthen a company’s cybersecurity posture overall, informing strategies for prevention.
Red Team vs. Purple Team
InfoSystems brings a depth of experience and a phased approach to each client pen test. The process guides leaders and employees through an in-depth evaluation to determine overall security and identify vulnerabilities.
As Cobb explains, there are multiple styles of pen testing:
- Red teaming is an extended engagement between InfoSystems and a single company contact, typically the domain administrator. The rest of the company is unaware of any active penetration. After the exercise is complete, InfoSystems provides an in-depth analysis describing if and how the tester breached the network and accessed data. This data can be used to amplify a company’s defenses.
- During a purple team pen test, most company employees are aware of the presence of a cyber defense team, who will come in and demonstrate an attack. This exercise gives an insider’s look into a hacker’s strategies and how they operate in real-time. The company can then take measures to prevent a real attack from happening.
Similarly, pen testing can occur internally or externally.
- External testing begins in cyberspace, when a tester only has access to what an organization shares publicly, such as an IP address or other assets that can be viewed on the web. Reconnaissance begins and the tester attempts to gain access and breach the network.
- Internal testing begins under the assumption that the hacker has already accessed the company’s network. They’re keeping a low profile, and any domain admin is unaware of their presence. These testers will aim to leverage vulnerabilities to do the most damage.
“It’s crucial for companies to understand their defenses in all of these scenarios,” Cobb says. “More companies recognize the value in these services and are intent on protecting their networks and data. InfoSystems delivers strong results for pen testing — our technicians, equipped with a hacker’s mindset, understand the nuance and creativity that goes into a cyberattack and can execute a highly effective pen test.”
Pen testing is just one step toward incremental change in the cybersecurity landscape for a company. These testers and valuable tests help businesses identify weaknesses, even with existing cybersecurity defenses, and develop a strategy to strengthen them.
Interested in learning more about pen testing and how it can keep your organization safe? Contact InfoSystems today.