Posts

What is Pen Testing and Why You Should Care

Penetration TestingCyber threats are evolving at an alarming rate, posing significant risks to your business. Penetration testing, commonly referred to as “pen testing,” is becoming a vital, proactive tool for assessing your risks.

Pen testing simulates a cyber attack on a computer system aimed at identifying vulnerabilities and testing the security of IT systems. Pen testing goes beyond electronic systems; it encompasses the entire IT ecosystem, including human elements and physical security. 

As cyber threats diversify, pen testing has become an important cybersecurity practice and an emerging requirement for cyber insurance.

Types of Pen Testing

Pen testing falls into various categories, each targeting different aspects of your business’s IT infrastructure:

  • External Testing:
    Evaluates vulnerabilities in the systems that are visible from the outside, such as web applications, servers, and network devices. It simulates attacks attempting to breach your network from the Internet.
  • Internal Testing:
    Examines what could happen if an attacker gains access to the internal network. It highlights potential damage and data exposure risks from within your organization.
  • Targeted Testing:
    A collaborative effort between your IT team and the testers, providing real-time insights into the attacker’s perspective and your response.
  • Blind Testing:
    Testers receive limited information about the target, mirroring the knowledge an actual attacker might have. This helps assess your organization’s security posture from an outsider’s perspective.
  • Double-Blind Testing:
    An advanced form of blind testing where neither the testers nor the IT staff are aware of the test. It evaluates the effectiveness of the security monitoring and incident response processes.

Benefits of Pen Testing for Businesses

Investing in pen testing offers businesses several compelling advantages:

  • Identifying Vulnerabilities:
    Pen tests expose weaknesses in systems, applications, and networks, allowing you to address them before they are exploited.
  • Prioritizing Risks:
    Not all vulnerabilities carry the same weight. Pen tests help you prioritize risks based on their potential impact and likelihood, guiding you on where to focus your efforts and resources.
  • Enhancing Security Measures:
    Insights from pen tests can guide the implementation of stronger security controls, such as multi-factor authentication, data encryption, and improved access management.
  • Boosting Cyber Insurance Prospects:
    Many insurers require regular pen testing as part of their coverage criteria. Demonstrating proactive security measures can lead to better terms and premiums.
  • Regulatory Compliance:
    For industries with stringent regulatory requirements, pen testing can help you assess compliance with standards like HIPAA, PCI-DSS, and GDPR. It can also help you benchmark against cybersecurity frameworks, such as CIS, NIST, and CMMC.

Getting Started

The best way to get started with pen testing is to perform a basic, preliminary scan of your environment. Referred to as a “Level 1” test, this snapshot provides a baseline assessment. From this assessment, you can determine what, if any, mitigation efforts are needed to improve your security, meet compliance requirements, and/or secure cyber insurance.

Your Next Step

Cumulus Global offers a free Level 1 Pen Test to qualifying organizations. Click Here to Request your test and to access related resources.

About the Author

Bill Seybolt bio pictureBill is a Senior Cloud Advisor responsible for helping small and midsize organizations with cloud forward solutions that meet their business needs, priorities, and budgets. Bill works with executives, leaders, and team members to understand workflows, identify strategic goals and tactical requirements, and design solutions and implementation phases. Having helped over 200 organizations successfully adopt cloud solutions, his expertise and working style ensure a comfortable experience effective change management.

On-Premise IT: The Bad, The Good, and the Ugly

We do not hate or dislike Microsoft.  But, looking at the company and its products, Microsoft often provides us great examples for some of the issues with in-house systems for small and mid-size enterprises.

Case in Point: According to ComputerWorld, Microsoft will issue 12 security updates for 57 vulnerabilities across Windows, Office, and Exchange.  In an extremely unusual move, 2 of the updates are for Internet Explorer (IE) from version IE6 through IE10.

The Bad:  The scope and severity of these updates are the largest since April, 2011:

  • 5 of the updates are “critical”, the rest are “important”.
  • The vulnerabilities addressed are in every version of Windows from XP Service Pack 3 and Vista through Windows 7, Windows 8, and Windows RT.
  • Updates are needed for all current versions of MS Office and for MS Exchange.

The Good:  Microsoft is able to fix the vulnerabilities found, even though some of their products continue to fail security tests.

The Ugly:  While these updates make on-premise IT environments more secure, they come at a huge cost, particularly small and mid-size businesses.  Applying these updates means touching every server, workstation, terminal server, and Windows RT tablet — some more than once.   While larger companies may use images to update workstations, applying these updates still requires building and testing the image before distribution. Hours of work and multiple reboots mean time and money — even if the work is done after hours.

Perspective:  One of the major drawbacks of on-premise IT solutions for small and mid-size enterprises is exactly this kind of maintenance.  For hosted and cloud solutions designed for large-scale multi-tenancy, like Google Apps and others, pushing out updates is automated, fast, reliable.  And, these updates rarely if ever require local updates.

Moving to a cloud or hybrid computing environment can save you time, money, and aggravation, while providing a more secure, more reliable system.

Interested in learning more, read what companies that have moved to the cloud and Google Apps have to say in this white paper.