IT risks associated with outsource of Penetration Testing (Ethical Hacking)
Introduction
Presently, the idea that information governs the entire world is not anything new. The swifter and quicker business develops its technological and knowledge framework, the larger may be the likelihood of malicious accessibility information. Commercial, financial, managerial, HR as well as other facts are of curiosity not only for the company where it's created and used, but in addition for its competitors, and then for those who can take hold of it for the purpose of further unauthorized usage and resale. The requirement for data security is usually growing.
LAZgroup SA (Dr.Kretov Kirill)
Data security is a state of information protection when their integrity, availability and confidentiality are ensured. Information integrity signifies that the information does not change when it's stored or transmitted; availability means that authorized persons may use the data and access it anytime; confidentiality means unavailability of knowledge for those who are unauthorised for sufficient and lawful access to it.
Information audit may be used to ensure data security. Generally, audit is completed to estimate the current amount of data security, to evaluate possible risks during information storage and use inside the company, also to determine high-priority measures which will minimize the hazards and knowledge leakage threat. During audit, we reveal the safety level provided inside the automated system, and picked up statistics helps determine further steps to reach complete information the reassurance of the business.
Security audit types include penetration tests (or "pentests") aimed at determination of various vulnerability search methods and methods for intrusion into company' information systems on the surface, for example, over the internet. Penetration tests are mainly performed to estimate the entire company level of protection from external threats and directed attacks, and to document what and also to develop a directory them.
Generally, the testing procedure includes three steps, each with the steps features a variety of quite specific jobs. The first step covers operations planning and preparation. The next step includes penetration to the automated system itself, as well as the the third step is report creation and, possibly, recommendations to improve data security.
More regularly, a business admits penetration testing in the event it needs to evaluate possible damage from malicious activities, to estimate the security degree of specific company information assets, to discover the most vulnerable places inside the information security system in order to measure the measures taken from the company personnel in case of penetration attempts.
However, one must not believe that the testing procedure guaranties complete to protect the business. Sometimes this is simply not true, so long as any penetration attempt could cause unexpected and crucial most current listings for the audited company. This article is intellectual property lazgroup.com. There are two major groups of risks we should always bear in mind.
Risks as a result of Testing Company
The very first band of risks is caused directly from the company that performs the security audit within the customer company. In other words, a company desperate to have reliable data security checks whether the information is accessible from the outside by intentionally making it accessible, just because a large amount of vulnerabilities are often revealed during pentests and testers access the protected data.
Can it be actually so bad? In the event the customer desires to have penetration tests performed, the consumer signs a non-disclosure agreement with all the testing company. Despite the fact that the most of companies think this can be enough, each penetration test brings additional risks. We ought to take into account that each auditor group consists of persons, as well as the human factor cannot be ignored.
To start with, oahu is the human component that makes different penetration testing companies perform pentests differently. Thus, vulnerabilities that may be revealed by one group will stay unknown for the next group, and the other way around. That's the reason, logically, you cannot completely depend on the final results of penetration tests to ensure information security. Real penetration threat exists anyway, as long as different groups and different hackers can use various techniques to the revealed vulnerabilities. In other words, such testing will not fully guarantee the reassurance of the customer company.
Even if the testing is finished and vulnerabilities have been discovered in the customer robotic voice, the testing company can merely save the obtained information on the program, network structure, etc. or conceal some vulnerabilities from the customer. Also, the tested company will now be open to all or any perils of the auditing company.
The point is that it's way too hard to keep up security in the catering company. As well as the risk that employees with the testing company - for instance, after they're fired - uses the data to their own benefit or to the main benefit of competitors. This is simply not a rare situation, as well as the statistics for such cases, unfortunately, do grow.
Often, client information leaks from businesses that trust an excessive amount of with their IT companies (the latter could be outsourcing companies, processing centers, security audit companies). In line with the American telecommunication company Verizon Communications, more then the half of all known information leaks in restaurant and local store networks and other organizations that, for whatever reasons, do not want high-grade IT staff, are due to unfair partners externally or the companies offering information security audit services.
Here is a specific example. In 2009, the owner of a sizable IT company in the USA engaged in information audit and outsourcing services was charged with theft of confidential data in excess of 8 million people. Information was originating from large serviced companies, and the investigation said that the created database was intended for sale to competitors. Details of what data ended up stolen, and also the list of the aggrieved organizations are not published inside the interests with the investigation, however it was recognized for sure that throughout the audit, information on the organizations network operation was carefully gathered for the purpose of further illegal use and theft.
As illustrated from the examples, unfair companies those types of who can render information audit services aren't an infrequent exception. And though data leakage as a result of own company employees or insiders seems one of the most probable, it always doesn't sound right to impose the organization to additional risks with regard to false safety feeling.
Even if you do need penetration testing from the outside, you have to first carefully examine trustworthiness of the organization to conduct the study. However the company's reputation isn't enough. Learn as much as possible about the company management and technicians. Because even a perfect-reputation company that gives high-quality security audit services might employ persons who secretly help competitors using the main aim of accessing the protected information without testing interruption.
A part of information being used internally from the company includes a long lifespan, and therefore if such information becomes available to someone else despite a couple of months, the company will still suffer essential losses. Thus, you must be very careful when attracting external hr and give consideration not just in their skills, cost and quality, but additionally to potential consequences of granting them accessibility company information assets.
Another threat during penetration tests may be the investigation of numerous attack scenarios. Employees of the auditor company can document just one or two of the vulnerabilities revealed within the information protection system, while the remaining vulnerabilities can nevertheless be employed by hackers.
Technical Risks
Even when penetration tests bring great results, eliminating a lot of vulnerabilities, they still don't be certain that information will stay inaccessible a few weeks, weeks, or months. The thing is that new vulnerabilities arise every day, new forms of attack are used, and even some old vulnerabilities can be utilized a-new with all the span of time. No information security organization can contain the complete information on all vulnerabilities. That is why vulnerabilities that'll be used tomorrow may strongly differ from the existing ones.
By providing fast operation in data networks and taking advantage of the web in activities, companies make their business far better and versatile, on the other hand, but simultaneously, boost the risks, because absolutely secure systems do not exist. Failures of network protocols and services, faults in network equipment operation may cause not merely direct financial losses to the company, but additionally loss in reputation, the latter being a more severe harm for most large companies means when compared with financial losses. Information security gets to be more and much more important, since a growing number of services allow maintaining customer relations directly over the internet.
Usually, vulnerability means that the malicious user will make the application perform operations which is why user has insufficient or no rights whatsoever by issuing a corresponding command. Even though you will find detection tools for several kinds of vulnerabilities, they are able to never substitute an individual's experience during information security research.
Inside the attempts of security provision, control over most companies often makes severe errors that may result in further serious consequences for that company. Among them are:
• The company's staff is excessively positive about toughness for the security technologies used.
• Accurate technical info on the security level will not exist.
• There isn't any clear information security policy.
• IT department staff qualification is insufficient.
• This article is intellectual Property of Dr. Kretov Kirill, the founder of LAZgroup SA
• The personnel wrongly think that there isn't any important information for hackers in the company's information system.
• The personnel wrongly think that company's web site/server cracking won't result in serious losses.
Depending on of last-year statistics gathered during analysis of virtually 12 thousand of various programs and web applications, more than 97 thousand vulnerabilities has been found. They differ inside their threat level, but greater than a 1 / 2 of them are urgent and critical, the information from 13% of systems may be automatically compromised. In the course of detailed testing, the prospect of revealing critical vulnerabilities reaches extreme rates - from 80% to 96%.
Any company can are afflicted by cyber attacks no matter its business. Needless to say, hackers are generally considering large organizations, but small companies usually suffer more severe damages from such illegal activities. Businesses, in addition to mid-sized businesses, often suffer from harmful software and viruses, which are becoming harder to neutralize. Note that data security companies can be often the target for directed network attacks.
Interesting statistics may be published by Ponemon Institute. The study, when the information caused by 45 large American companies have been used, showed how great are the losses of the company from attacks while using vulnerabilities in the information system. About the average, companies lose less than four million dollars annually as a result of such faulty conditions, which figure ranges from one million for medium-scale companies to 52 million dollars. Struggle against network data leakages, attacks of companies' internet sites and online services, and in addition harmful software distribution, constitutes the lion share of costs for information security maintenance. But still, the studied companies had been confronted with more than 50 successful attacks per week where hackers may have plundered the info.
As proved by the above impressive statistics, hackers do their criminal business with impunity. While competition in this subject grows, prices for computer network cracking and information theft fall, but hackers' proficiency will continue to increase. Among all hackers, no more than ten persons face criminal liability annually, and then for some frauds having a mullions-strong turn the hackers are susceptible to conditional prison sentence. Experts believe that such avalanche-like expansion of criminality in information technologies can be a considerable threat for just about any business.
Conclusion
To conclude, we must emphasize the truth that the situation in neuro-scientific information protection is rapidly changing, and a company must reply to each change as promptly as possible. Any new vulnerability revealed, any weakness of an anti-penetration system may result with direct financial losses, but also in irrevocable lack of partner reputation, and this can be far more important.
Hackers' arsenal grows with new complicated hardware and software, in addition to their proficiency has way back when advanced the proficiency of an average employee in a IT or information security department. A company can safeguard itself from possible threats only by constantly paying attention to network as well as other resources integrity and security. In terms of now, vulnerabilities have been found out in all systems. Once more, this really is to prove that no absolute security can be guaranteed, and won't be guaranteed within the nearest future.
However, you can keep your risks at least. For this function, prompt staff response in case of threat detection is essential, along with timely installation boost of anti-virus software and firewalls, installing all critical and essential os's updates. Staff overall awareness on the recent known vulnerabilities, viruses and harmful software program is important too.
Many organizations resort to penetration tests as the last possible measure. The good news is, this measure is expensive and ineffective. During such test, only section of existing vulnerabilities is going to be discovered, meanwhile new methods for information security breaks appear virtually every day. One must realize that a good large company providing computer audit services could be subjected to its internal data leakage risks. Entrusting such company with details about network structure, operations and protocols basically means taking and covering all risks of the organization. So, penetration tests usually grant you false, illusory safety.
Internal network audit methods be more effective than penetration testing. A company must use software for access restriction, user activity monitoring and data encryption, as well as network activity logs should be monitored on a regular basis. It is a necessary condition for keeping the information loss risk in an acceptable minimum.
Written in January 2010 by Dr.Kretov Kirill specially for LAZgroup SA