There is no business in Glasgow, Edinburgh or Scotland that is too small to be targeted by network attack, all an attacker needs is one entry point to find a way into something bigger So how can Scottish businesses use a penetration test to fit their budget?
“We don’t need penetration testing, we’re so small” is something we frequently hear but this is simply absurd. Vulnerabilities exist in software, hardware, and configurations regardless of how big your business is. There are now regulatory requirements for penetration testing to be conducted regardless of organization size. This can be GDPR related or industry reacted such as legal or financial regulators.
The key questions are does a small business require penetration testing? How can a small business make penetration testing effective given limited resources? We will explore aspects of penetration testing and provide some tips on how to make it effective for a small business.
What is penetration testing?
We will look in web servers or network systems and applications that are exploitable by an attacker. The use of tools and publicly available exploits helps a penetration tester to be more effective in the assessment.
A vulnerability assessment is a surface-level scan of the web application or network ports for indicators of vulnerabilities such as version numbers and open ports. Issues reported after a vulnerability assessment may contain false positives as they are only based on initial indicators. Penetration testing takes one step further to attempt to exploit the found issues to confirm that they are indeed vulnerabilities.
For our Glasgow, Edinburgh and Scottish clients we recommend performing penetration testing before a new system is commissioned or when there are significant changes to the environment or code. For the existing system, it is recommended to perform it annually, with more frequent testing for sensitive systems such as systems dealing directly with critical processes, privacy data, or financial data. It is always recommended to perform both automated and manual penetration testing to have a comprehensive assessment result.
Considerations for Penetration Testing
Historically penetration testing was costly and time-consuming depending on the complexity of the system. As small business owners will always face resource constraints, penetration testing should be strategized to maximize its benefit. Glasgow, Edinburgh, Aberdeen and Scottish Business owners can consider the simple steps listed below to make an informed choice.
- Gather the organization’s critical information system assets
Most Scottish business do not have the full picture of what information systems they are running to power their business. These systems could range from an e-commerce web application bringing in revenue to an internal Human Resources (HR) system to manage employee time-off. These systems could be run directly by the business or could be a managed service by a provider.
- Determine the possible threats
Once you have identified the critical systems, determine the possible threats that the system may face. You can start by determining if the application is Internet-facing as it will mean that the application can be attacked by anyone in the public. Focus on Internet-facing applications/networks.
The more exposed interfaces will also mean more threats to the system. A system with only a web application (exposed web service) may not be as vulnerable compared to a system with multiple services (web, email, database, etc.) running on it. Focus on the system with more interface exposure.
Next, determine which are the targeted users of the application. If an organization does a good job vetting and auditing its users, they will pose less threat to the system than external users who have little incentive to use the system in good faith. This difference makes it crucial to pay more attention to systems which allow external users. Focus on applications used by external users.
Lastly, systems or networks dealing with sensitive information cause more damage when compromised. If you need to make a choice between a system storing sensitive information such as Personal Identifiable Information (PII) or credit card details vs a system storing public information, focus on the system storing sensitive information.
One more thing, you may not classify regulatory requirements as threats but you will once they start costing you money or hindering your ability to operate your business. Focus on regulatory requirements.
- Prioritize threats by risk level
“I’ve identified the threats and there are so many of them, which ones do I tackle first?” might be the question that is bothering you right now. To tackle this problem, business owners have to prioritize them according to risk level. IT risk is determined by the impact the threat will bring to the network or system and the likelihood of it happening.
Ultimately, it is the risk to the business that we are talking about. Systems with high-risk threats to the business should always be addressed first, followed by medium and low threats. Risk assessments can be complex but achievable once broken down into simple steps.
Riverbank Solar are a Glasgow based IT Support provider who offer Cloud and IT Support to businesses in Glasgow, Edinburgh, Aberdeen and the rest of Scotland. Contact us today to find out how our Penetration Test will help you identify issues. Call us on 0141 474 1995 or arrange a FREE IT Audit.