Hackers can actually look at you through your web-cam and listen to what’s going on in your workplace or even meetings. Are you aware of this? Penetration testing or “pen testing” is aimed at particularly identifying the points of reference where a hacker maybe accessing your infrastructure. A penetration test will start to identify with your systems weaknesses and omissions and using this information will penetrate deeper into your network to point the exact issues.
The UK Home Office has launched a new £4 million information security awareness campaign, designed to educate businesses and consumers about rising hacker threats and network vulnerabilities. The first stages of this new campaign will begin in the autumn, and will sit alongside other more-established information security initiatives like Get Safe Online, and form part of the broader government National Cyber Security Programme.
What’s the difference between a vulnerability assessment and a penetration test? The answer to that question depends on who you choose to ask. For some people they are effectively one and the same thing; for others there are clear distinctions. So what’s the true position? Are vulnerability assessments and penetration test effectively two sides of the same coin, or are there clear differences between the two? The short answer is that whilst a penetration test may be a form of vulnerability assessment, a vulnerability assessment is definitely not a penetration test.
It’s a well-known fact that small businesses are more susceptible to cyber-crime than many of their larger counterparts. A lack of funding and resources means that few small to medium-sized businesses can afford to pay for vulnerability assessments or penetration testing of their network security. But just how much money is this failure to protect online networks costing small businesses? Well, according to Federation of Small Businesses it’s something in the region of £785 million every year. That staggering figure is the price SMEs pay when they fall victim to fraud and malware.
With an increasing number of critical systems being placed within virtual environments, security is now understandably a prime concern. Systems can be attacked, and valuable information and assets can be compromised. Vulnerability management systems are designed to address these issues. Vulnerability assessment is the process of identifying how vulnerable an infrastructure is to known vulnerabilities—the number one threat to all networks today. The threats/risks found in the vulnerability assessment are then ranked and prioritized to expose the current security position, and to facilitate the re-mediation process.
Will vulnerability assessments and penetration testing find all the security vulnerabilities in your network and systems? Well, the simple answer to that is probably not; that is, of course, unless you are prepared to spend an awful lot of time, effort and money on it. So why bother having your systems tested then? Well, because it is still vitally important to protect your network from vulnerabilities. What is required is closer co-operation between the client and the pen tester. From a client’s perspective it’s about the importance of setting expectations and defining the requirements for penetration testing. From a tester’s point of view it’s a question of gathering as much information as possible about the internal workings of the business and the systems to be able to do a comprehensive vulnerability assessment.
Facebook and Apple have become the latest companies to reveal they had been the target of a “sophisticated cyber-attack” by hackers last month. Although security was breached both companies confirmed that they had found no evidence any user data had been compromised.
In a blog post on its website Facebook explained what it knew of the cyber-attack:
It’s been a torrid old time for Oracle over the last few months. Targeted by hackers, Oracle has rarely been out of the news. There were hopes that the recently-released Java 7 Update 11 would solve the problems once and for all, unfortunately the patch, which was meant to mitigate two zero-day vulnerabilities in Java that were being actively exploited by attackers, has not delivered according to cyber-security experts. They maintain that all that has happened is that the threat has been relocated, and therefore that Java is still vulnerable.
Most businesses will be aware of the vital importance of spotting security vulnerabilities within their network and applications, and many will also be aware that they will need to carry out a network penetration test to help them comply with the Payment Card Industry Data Security Standard (PCIDSS) requirements. Understandably many SMBs will look to find the cheapest and quickest way to comply with the required standards. However, some businesses might be surprised to learn that the service they are paying for isn’t necessarily what they think it is. PCI DSS is explicit in its requirement that a penetration test has to be performed, but it is rather vague when it comes to explaining what methods need to be employed when performing testing.