Penetration tests, or pen tests, are ethical hacking exercises in which security professionals, like Cerium Networks, launch simulated attacks on your computer systems to assess your overall security posture. There’s no need to panic if you get a negative test result, however. If done properly, these tests will always identify at least a few vulnerabilities — even in the most security-conscious organizations.
The unfortunate truth is that all networked computer systems are vulnerable to some degree. Whether due to environmental changes or vendor software exposures, new vulnerabilities will continue to arise over time. Once you connect a computer to a network, you create potential openings for hackers, malware, data leaks and other security breaches. The only foolproof way to protect your systems is to unplug them from the network, but that tends to result in poor end user acceptance.
The best most organizations can do is remain vigilant, manage risk and move quickly to limit damages. Comprehensive pen testing plays an important role in such a strategy by creating a sort of early warning system. These tests are very effective in identifying hard-to-find vulnerabilities such as configuration flaws, protocol vulnerabilities, web application coding errors and unpatched applications.
What you do after the test makes all the difference.
Don’t Panic, Prioritize
In many cases, organizations are required to conduct regular penetration tests to comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS). Too often, they treat the process as a mere procedural formality and take little to no corrective actions.
Some go to the other extreme. Instead of prioritizing issues and focusing on measures that require immediate attention, they try to correct every single problem. While a noble goal, developing a zero-trust architecture is far more achievable than an environment with no vulnerabilities.
Organizations should take a methodical, reasoned approach. It all begins with a thorough examination of the test results.
Cerium Networks provides our customers penetration testing services. Our penetration testers compile test results to derive a security “score” that illustrates your strengths, weaknesses and potential compliance issues. Typically, our testing teams will grade vulnerabilities using the Common Vulnerabilities and Exposures (CVE) system, which ranks vulnerabilities on a 0 to 10 scale based on characteristics such as access vector, attack complexity, authentication, confidentiality, integrity and availability.
Those rankings can help you develop a remediation strategy. Low-ranking vulnerabilities often carry nominal risk and rarely require immediate attention. Instead, you should assign resources to address high-risk exposures such as an unpatched operating system or a misconfigured firewall. Our testers will work with your IT team to develop a detailed action plan for responding to security gaps or weaknesses. Typical remediation efforts include modifying configurations, applying patches, deleting invalid user accounts, and removing executables and scripts. If new defensive controls or cyber security policies need to be established, Cerium Networks can assist you by consulting, integrating and even operating the required compensating controls.
Proceed with Caution
Before implementing any changes, it’s important to conduct a thorough evaluation to understand how they may impact other systems. For example, some security patches have been known to cause random reboots, system crashes or other issues. It’s always a good idea to try things out in a test environment before implementing them on production systems.
Strong Cyber Security protection & hygiene is a journey, not a destination. The complex interplay of software, hardware and networking technologies will always result in occasional incompatibilities and misconfigurations that can be exploited by smart hackers. Regular assessments can help you quickly identify vulnerabilities and understand the level of risk involved. When blended with strong threat detection & response as well as robust cyber security visibility and controls, you can dramatically alter your cyber security fitness.
Working with an experienced provider such as Cerium can minimize those risks. Our assessment team has the training, tools and expertise to deliver deeper insights and more actionable recommendations. Contact us to learn more about the effective use of pen testing to reduce your exposure.