Your corporate insurance broker might have recommended penetration testing, or “Pen Testing”, as a cybersecurity strategy for your business. What is “Pen Testing”?
To answer that question, think of your computer systems as a large building. Buildings have doorways. Some of these are intended as public entrances; some might be service entrances; and some might be employee parking garages or loading bays.
A thief who wants to get into the building will watch it carefully and do whatever it takes to gain entry. He might ask you to hold an elevator for him hoping that he can follow you out onto a secure floor. He may try every door so see which ones are locked. He may have some tools to jimmy a lock open. Sometimes, he just knocks on the door and sees who answers. Perhaps he tries to convince you that he is with building maintenance and he needs access to your bathroom.
Penetration testing extends this idea to computer networks. Every type of computer application that your office uses is associated with a particular port (or door) number. Websites use ports 80 and 443. Email uses ports 25, 110, 143, 993, and 995. Microsoft file sharing uses ports 135-139. You get the idea.
A hacker will often try to discover which of these ports is active. This is called a port scan and is the first step to a vulnerability scan. A port scan is like knocking on a door; if a computer on the other side of the port answers, “Who’s there?”, the hacker will then try to analyze the response to see what version of software is being used and if there are any weaknesses that can be exploited. Often the hacker will mount a phishing attack on a list of employees. Having an employee cough up their username and password makes this whole process easier.
A Pentester is an ethical hacker who has been hired by your company to try and find a way to get inside your computer network without having authorized credentials like a username or password. If the pentester is successful, then we can expect that a hacker would be as well.
In one case, a pentester tried everything to break into a system, but that particular company had rock-solid network security. The pentester was not prepared to give up. He put his toddler daughter in the car, drove across town to the company’s head office, walked in the door, told the receptionist that his daughter really needed to use a washroom and would she buzz them in. She complied. While in the washroom, he left a USB stick on the sink counter before leaving. Sure enough, some employee found the USB stick, plugged it into their workstation. The malware that he had placed on the USB drive did it’s job and he was able to take down the entire company.
Pen Testing is a very manual process and requires very experienced technicians; it isn’t cheap. Prices start around $5,000 and go up to $50,000 or more. More worrying is that many security companies advertise their service as “penetration testing” but really provide nothing more than a simple “port scan.” Most port scans are automated and can be done in an hour or two. For these reasons, it is often a good idea to hire a cybersecurity consultant to work with the client to assess all the cybersecurity risks faced by a company. In most cases, user training can provide better value in reducing cybersecurity risks than a detailed penetration test. If a Pen Test is recommended, the consultant will usually have a list of reputable, experienced firms that can provide a proper penetration testing service.
If this applies to you, give us a call. Atlas Solutions has years of cyber security experience. If we can’t help you out, then we know someone who can.