Pentesting - The Shortest & Sweetest Outline You'll Ever Find!
Do you ever think about what could make your business go under? What critical component could act as the lynchpin that brings down the whole house of cards? Where you might have left one critical gap to be exploited?
Oh, you don’t? Ah. Must be just me then…
In all seriousness, the first step to securing your business and your systems is to know your own weaknesses. Once you know your weaknesses you can focus on fixing them (or turning them into strengths if you’re a SWOT enthusiast) and be safe in the knowledge that you’re staying secure.
But how do I find my weaknesses?
I’m glad you asked! There’s two ways, generally speaking. A vulnerability assessment (VA), which - you guessed it - assesses your vulnerability using mostly non-intrusive measures. The other is penetration testing (PT), or pentesting which goes through your actual systems and simulates what an actual attacker would do to find gaps in your security. The difference is that a penetration test is usually more in depth and finds more things to fix, which takes more time and costs more.
Why should I care? Surely I’m too small to be a target right?
Actually, it doesn’t matter if you’re a small business; just like some people specialise in marketing to small businesses, some attackers specialise in hacking small businesses. As for why you should care, it’s because I said so because it’s only a matter of time before someone comes for your data. Having a VA/ PT done means you can head off attackers early by fixing anything they could exploit. Also, showing off that you’ve done your due diligence can help with getting new customers.
Ok, but I’m something of a techie myself (my mum uses me as tech support). Can’t I just do this myself?
First of all, admitting that you’re a techie just leads to more calls for help ‘because my computer just won’t turn on!’, so don’t do that. Secondly, you can! There’s plenty of free or open source tools for vulnerability assessments (https://observatory.mozilla.org/ https://owasp.org/) to help you get to grips with your issues, which can help as an initial measure. Getting help from a professional is the next step, as a dedicated penetration tester will have the experience and the tools to dig deep into your infrastructure. You can hire these uber-techies to enter the matrix do their scans on a per project basis, or for your entire organisation - it’s up to you, really. You can reach out to us too! We are quite affordable :)
Hang on, my mum’s calling…
I did warn you.
So do they come to the office and take apart my PC, or…
Not usually. For scans or tests on a network, tests can usually be done remotely, which means the pentester can be anywhere in the world as long as there’s an internet connection. They will then use their many and varied tools to try and get into your network - hopefully unsuccessfully. Of course, if your gear is all offline or if you want to get really in depth, in-person tests can also be arranged.
Once the test or scan is complete, you’ll be given a penetration test report outlining anything that was found.
Wait, so are pentesters hackers? Do they all wear hoodies and sit in the dark?
Yes and sometimes. ‘Hacker’ doesn’t necessarily refer to a criminal - check out our article here for a rundown on the difference as well as the different penetration test types. As for sitting in the dark, ’What do you want me to do, photosynthesise?’ and ‘I’m just saving power’ are the usual excuses when we question our resident pentester.
So let’s say I want to check how secure I am. When can I start? Is there a summoning ritual?
See, I knew I could convince you. As for when you can start, the answer is pretty much whenever you feel like doing one, although usually these would be done at the start of a new project or if you’ve made any major changes to your environment. Once you start, it’s a good idea to continue to do them on a regular basis - say, biannually or quarterly. For the summoning ritual, first turn off all the lights…
You wouldn’t happen to know anyone that does this kind of thing, would you?
As a matter of fact, I do! At Meta Defence Labs, we can do vulnerability scans or penetration tests on an ongoing basis or as a single engagement. If you want a nice shiny badge to go with it, (who wouldn’t?) you can check out the UK NCSCs Cyber Essentials Plus program, for which we are an authorised certification body.
Go on, you know you want to…