When’s the last time you tested your network? If you’re like most people, you’ve neglected it for far too long.
Are you a target for hackers?
We are all now familiar with the concept of the Internet of Things and if you take the manufacturing industry, for example, many manufacturers are now widely operating in an increasingly connected environment and making the most of the Industrial Internet of Things.
There are plenty of positive aspects to a manufacturing process where equipment and machinery communicates in a way that improves the way everything flows through to the finished product, but the downside is that this greater level of connectivity also increases your potential vulnerability to a targeted cyber-attack.
There are numerous reasons why any business such as a manufacturer, for instance, would be targeted by hackers.
The growth of the Industrial Internet of Things has increased the number of opportunities for hackers to try and steal some trade secrets and intellectual property through a coordinated series of attacks.
This very real threat to your business is why you should consider a rethink your security standards and look at how to start a penetration test.
Why Penetration Testing is Important
Good penetration testing involves testing a company’s network to make sure that there are no threats that can break through the company or organization’s security. But, it also involves testing non-technical security threats, like social engineering.
Social engineering bypasses traditional Internet-based attacks by exploiting human psychology – attackers attempt to defeat security protocols by gaining direct access to a company’s building and sensitive data. They do this by any number of means.
For example, an attacker might show up to an office posing as IT support. He may try being friendly with staff who have access cards to the building (when he does not). Then, when an employee opens the door, he asks if the employee can hold the door for him so that he can come in (usually to meet with someone).
Traditional Internet-based attacks may use sophisticated software or employ low-tech scams like phishing techniques. Sometimes, an attacker will gain entry to a company’s network by planting an infected hardware device, like a USB, on an employee or near the office (perhaps in an office parking lot). The infected hardware may use a keylogger to capture usernames and passwords from employees.
As crazy as it sounds, employees might actually pick it up and use it. That’s what Steve Stasiukonis, founder of Secure Network Technologies, did. He planted USBs around his company’s parking lot. Employees picked them up and inserted them into their computers – curious as to what might be on them.
The USBs were infected with a Trojan containing a keylogger program. Once the employees inserted the USB drive, all keystrokes were recorded. Employees were giving up their login credentials without even knowing it.
Every business is at risk. This is why you need to run security scans and penetration tests.
Defining Goals For Penetration Testing
First, define your goals. Most penetration testing is oriented around protecting the organization in some way. Attackers are out there trying to steal your information. And, their techniques and strategies are a pragmatic means to an end. Testing should have a specific goal in mind though.
Following The Data
Most companies have a limited budget for penetration testing, regardless of how important it is. Focus on the most important aspects of the business. Are you trying to protect customer financial data? Sensitive company documents? Is there something else worth protecting within the company?
Develop Attacker Profiles
Your testers should act like real attackers. Build attacker profiles because attackers rarely fit into one category. External attackers might have no knowledge of your company. Insider threats may know everything.
Establish potential motives so you can “see it coming” before it happens.
Defining Rules Of Engagement
Penetration testing simulates an attacker’s behavior, but it’s not a real attack or threat. Because of this you need to establish parameters that define what can and cannot be done during the simulation.