The outline of a no-nonsense defense consists of impediments set up in advance, before the attack.
It is a log to the future – a defense in depth strategy – and in order to put yourself where you need to be, you have to identify the goals of the criminal element.
Let’s take a step back for a moment. When we think of penetration testing, we think in terms of attacks that we detect from an outside source. More commonly, we think of attacks that we perform on our internal assets.
One of the challenges when you are inside the network is that you are alone, and your vulnerabilities are not viewed in great depth. It’s a lot of fun to be able to hack into a system and watch what happens inside the box, but if you are using open source tools you are not really prepared for the vulnerabilities that you find. If you are using commercial tools, you are already behind the eight ball on this one.
The second question is, what do you do about these vulnerabilities? For various reasons, we need to consider more than one approach.
While we can agree that all network users – with the right user behavior and a 614 security overview report – can secure their own server, we also need to consider the network as a whole. If you have responsibilities for monitoring activities inside the network, you also have to consider who sees that monitoring activity. For some businesses, such as those in the health sector, maintaining network security is something that can be a full-time job. For others, such as legal organizations, security is a handleable task.
In either case, it’s important to understand why a security assessment is necessary, and what conducting such a test represents for the corporate network security.
The first thing to understand is what an assessment is. An assessment is basically a professional professional report that is done in your name and only in your name. It might be a report given to your lawyer by a judge or correctional officer after they have convicted you in a court of law. In other cases, an employee may feel that they are more inclined to take a suspicious amount of notebook computers to their workplace, where no one will expect to find them. In such an incident, it is best to have a second set of eyes looking over the presumed safe PCs.
Some people also believe that seeing you crack down on a weak link in your network or an illegal user on your system will automatically make your network 100% safe. Unfortunately, that is not the case. Again, downtime is often a necessary evil.
It is not the job of the security consultant to crack down your network or make your network 100% secure. The role of a penetration tester is to test your ready to go network to make sure that it is fully secure.
How do you select a good penetration tester? There are a number of things you should be looking for in a candidate for this position. Read their profile, talk to them in chat rooms or by phone, or do their Online Background Check by checking with the Better Business Bureau.
Passwords are important in this type of job. You should have a difficult password that is not a dictionary word. You should not use a user name that is a form of your business name. You should not use your birthday, your dog’s name, or your children’s names. Also, you should not use obvious keywords found in a dictionary. Instead, use a mixture of alpha-number, small letters, and letters in between. “Fail” is also an important keyword in this regard.
It is not a good idea to choose a security question just from the canned list of options. This is something that you would only choose after serious consideration. You need to be sure that you know what you are defining as a failure. Otherwise, you could very well be dealing with a security breach and not know it, or you could very well be dealing with an attacker who has successfully broken into the system.
Defining a winnable remote access program is more of a challenge than an easy one to face. Again, you should not use canned options for this question. However, if you took this approach with your bank account information, you would be robbed if they called you claiming that they only had an outdated bank website. Instead, tell your bank nothing about your current account, and make it sound like a secure website.
Most importantly, do not use public computers or computers that are in the wrong place. This is one of the biggest mistakes that you can make. You are likely to be asked to provide very sensitive information, and you are likely to make some critical mistakes if you are using a public computer or a computer shared with others. Adhere the “
