Guest blog by Lars Greiwe
High profile security incidents such as the Sony & TalkTalk hacks, combined with news of large scale attacks such as WannaCry, and even issues with popular television series such as Game of Thrones mean that SMB business owners and their software engineers are rightly becoming more concerned about the security of the systems that their business relies upon.
You might be reading this because you heard that a “penetration test” – or “pen test” for short – could help you discover whether your systems are safe or not from hackers. And you’d be right.
Conducting a pen test involves tasking a security professional with taking the hacker’s perspective to try to gain access to your systems or data. They mimic hackers whose incentive is to steal your information, to alter it in their favour, or prevent you accessing it. The idea is to discover the vulnerabilities of your IT systems and inform you of the security holes so you can fix them, before you actually get hacked.
The thing is, there is not just one type of pen test. Depending what type of scenario you are worried about, you may want to know the differences before you decide which type of penetration testing to perform.
Perimeter Pen Test
This series of articles will explain the different types of penetration test that are available, to help you discover which type of pen test is right for you. We start with the perimeter pen test (also called “external pen test”), as this is often the first port of call for hackers looking to compromise your business.
A perimeter penetration test is designed to look simply at the systems that you have facing the internet. For example: your office router, your VPN or remote working solution, your company website and any customer portals or connectivity you share with partners and third parties. These are the most exposed systems you have, as they are on the internet and they are instantly accessible to hackers all over the world, so the moment there is a flaw in them, you are as good as hacked.
The problem is, around 8,000 vulnerabilities get discovered each year in off-the-shelf software, which any of your router, VPN, or websites could be running. So if you don’t keep a constant eye on these vulnerabilities then it’s like the cyber security equivalent of not brushing your teeth – you may not have a problem straight away, but you’re definitely storing up trouble for the future.
Similarly, you might find that the regular changes made by your network engineering team (or your third party provider), such as installing new hardware, updating firewall rules, could inadvertently introduce weaknesses without your knowledge. And depending on when you had your last perimeter pen test, you may not know about them for quite some time.
Luckily there are services out there which can alleviate this worry. Intruder is one such service, that keeps a constant eye on your internet-facing systems. It’s a good replacement for a perimeter pen test as it operates all year round, whereas most pen testers operate on an annual consultancy basis. Intruder is partnered with the London Digital Security Centre and offers free trials of its Baseline security monitoring package, so if you’re concerned whether some of the issues discussed here might affect you, don’t hesitate to get in touch.
Learn more about Intruder here.
Next in the series, we’ll be discussing what additional types of penetration tests you might want to consider, in addition to making sure that your perimeter is secure.