Cyber security is hard. There are a million[1] vendors, who each have a million[1] products, there are a million[1] standards that every business should strive for, and there are million-dollar fines[2] if you get breached… so, where do you start?
At The Missing Link, our mantra is to bring clarity to the complex world of ICT security, which isn’t easy to do. My approach is to try and simplify things as much as possible. I figure out how to explain the tougher aspects of cyber security to my parents, my kids, or at the pub. If I can make that explanation work, then I’m confident I can explain it to my clients, and help them figure things out, too.
Red Teaming is a good example of this approach. I’ve presented clients with proposals and had them say “hmmm… but this is more expensive than what we did last year. There must be a difference, but what is it? How do I explain that to my boss or execs?”
I ask if they know the difference between a Vulnerability Assessment and a Penetration Test, and the answer is often “no”. Here’s how I help clear things up and give a simple explanation. Hopefully this analogy is helpful for you, as well!
Penetration Testing as a house: An analogy
Imagine you’ve got a house. Well, a Vulnerability Assessment (VA) is like a simple review of the security of your house. It asks questions like:
- Do you have a front gate? Do you have a lock on the door?
- Is it an old, out of date lock that can easily be broken?
- Do you have bars or locks on the windows, and CC TV cameras set up?
You do? Great – you’ve got a level of assurance just by having these controls in place. But how well are those defensive controls actually implemented?
That’s where a Penetration Test comes in. When we conduct a Penetration Test, we go above and beyond the simple checks and balances of a VA.
Penetration Tests detect vulnerabilities that automatic testing tools can’t
A VA will tell you that you have a fence, but it won’t try climbing it to see if it’s high enough, or identify any obstacles in place to deter climbers. Plus, it certainly won’t tell you whether it’s impossible to climb. That’s the job of Penetration Testers, who thoroughly assess your security controls using the tools that hackers (or robbers in this case) might.
Conducting a VA also has its limitations when it comes to highlighting issues with your house’s security. Concerningly, a VA is only capable of finding issues that have been detected in other houses before yours and will miss any problems with anything you’ve had custom-made. So, if you’re looking to assess that custom floorplan for security camera blind spots or booby trap your stunning front garden, you’re probably better off getting a Penetration Test.
A penetration test will determine the actual risk you’re dealing with
When we conduct a Penetration Test, we’re also going to see what happens if we exploit those vulnerabilities, to understand the actual risk to the house.
So, you’ve got a fence and gate around your house, but how secure is it really? The gate might not be locked, or you can climb over it, or it has a gap in it from where one of your dogs has dug under the fence, or your kid likes to sneak out of at night time (surely not!).
Taking a long, hard look at your front door, it might have a lock on it, but perhaps you forget to lock it on occasion (we’re all guilty of it!). And those bars on the windows are fine, but with a proper examination, we can see the foundations are rotting and they’re easy to pull out.
After all these checks and balances, your pride and joy isn’t looking so secure anymore. Penetration testing ensures nothing is missed or left to chance.
Red Teams get creative when they’re breaking in
Let’s assume that all those controls are pretty average, but you’re really just trying to protect your “crown jewels”, for example personally identifiable information (PII), research and development secrets or your hard earned money. You store these valuable items in a top-of-the-line safe, which resides in a room inside your house. It’s guarded by well-trained attack dogs, one of those laser traps which is triggered when it gets touched, and cameras that are monitored 24x7 by experts in security.
All of a sudden the external controls aren’t as important, right? Sure. But then our Red Team gets creative. The right attacker will do their research and maybe bring some steak for those dogs. They might get crafty and hire Catherine Zeta Jones from the movie “Entrapment” to snake her way through the lasers and possibly steal someone’s identity so that the 24x7 cameras can’t tell they don’t live there.
Importantly, our Red Team are super sneaky like the bad guys, and they’ll also check whether they can get in undetected by your security system. They keep a keen ear out for any alarms and probe how long your guard dogs and laser traps take to respond (if they’re activated at all). This way, they can report back with solid recommendations on how to improve for any future break-ins.
Get the experts in to protect your 'house'
I guess what I’m trying to say is Cyber Security is hard. All of the measures you take to protect your organisation’s ‘house’ need to be tested. They need to be tested in innovative ways by people who know what they’re doing.
The Missing Link is an industry-leading expert in this field, as evidenced by the skill level of our consultants, the various certifications we’re really proud of, the clients who trust us, and our reputation in the industry.
We’d love to talk to you about the appropriate levels of security controls and security testing for your organisation to help clarify the complex world of ICT security for you. Reach out today.
[1] Creative licence has been taken by the author here for dramatic effect
[2] Mandatory Breach Notification regulations from the Privacy Act
