According to recent statistics, a hacker attack occurs every 39 seconds. Hackers can steal 75 records per second. Sixty-six percent (66%) of businesses attacked by hackers were not confident they could recover from the damage that had been done.
Hacking has become very prevalent in recent years, and many businesses have yet to adopt a formal cyber security policy. So, how does your organization avoid becoming another statistic and a victim of hacking? Well, by doing some “ethical hacking,” there are ways you can be proactive to see how your business would fair against a cyber-attack. Rather than waiting for an attack to occur, there are steps you and your organization can take now to ensure you are protected.
What Is Ethical Hacking?
Penetration testing, or ethical hacking, is the intentional launching of simulated cyberattacks by penetration testers to attempt to access or exploit computer systems, networks, websites, and other critical applications. There are two types of penetration tests, internal and external. An internal test is used to help gauge what an attacker could achieve with initial access to a network; it mirrors insider threats such as employees intentionally or unintentionally performing malicious actions (e.g., phishing emails). An external test focuses on the effectiveness of perimeter security controls to prevent and detect potential attacks before they get into the network.
There is often confusion between “penetration testing” and “vulnerability scans.” Both are valuable to your organization. Unlike penetration testing, which testers do manually, a vulnerability scan checks all network devices (servers, workstations, firewalls, printers, switches, etc.) for known vulnerabilities and reports those vulnerabilities for each system on your network; it is an automated process performed by tools installed on your network. A vulnerability scan is designed to run thousands of security checks and produce a list of possible vulnerabilities and remediation advice. Since it is automated, a vulnerability scanner can be run as often as you’d like to check for potential deficiencies. Vulnerability scanning software can be purchased and installed on your network by various providers. Some of the top providers currently on the market are Nexpose by Rapid 7, beSecure, Nessus and Burp Suite.
Vulnerability scans discover vulnerabilities within the organization. But these scans fall short of attempting to exploit those vulnerabilities; which is where pentesters come into play. A vulnerability may only show up as a medium vulnerability, but when combined with other vulnerabilities and the skill of a pentester, it can still lead to the complete compromise of a network. “Pentesters” approach the organization as if they were a malicious hacker to find the exploitable vulnerabilities and assess the severity of each. At that point, you will be in a strong position to focus the organization’s resources on the areas most at risk of attack.
How Do I Get Started?
It is important to have two separate, independent, and qualified providers perform a recurring, annual penetration test. One of these providers should be consistent year-to-year, and one should be new each year to provide alternative hacking approaches that others may not have attempted.
Prior to the test, set clear objectives of what you would like to accomplish, including regulatory requirements, various protocols, and HIPPA. Be open and honest with your service provider to maximize the effectiveness of the testing.
In the meantime, one quick and easy way to improve your organization’s defenses is to keep up to date with all operating system and software patches and timely complete software updates. Developers provide these updates to patch existing vulnerabilities within your network – vulnerabilities that hackers can easily exploit after they’ve been published by developers and before your organization is updated to fix them.
You owe it to your participants, or those you serve, to protect their data and information. A hacker attack can jeopardize the future of your organization. Why take that risk?