The fact that sooner or later someone will try to hack you is a shocking piece of news for business. And the issue is not only about competitors aiming at new products, or intruders conceiving the idea of blackmail. Any company may become a target of random carpet bombing, for example fishing. Or yesterday's students will find zero-day vulnerability and will snatch the opportunity to benefit from it. Eventually, no one can feel secured against the next blackout such as one that has been caused by Petya viruses back in 2017.
Here are some striking examples of information leakages in the U.S.
Finance sector: Morgan Stanley, Carbanak, Experian, and Scottrade lost data of about 50 million users. The total damage has been estimated in billions even though the banking sector is considered to be the most secure one, only 5% cyber-attacks turn out to be successful. To a large extent, such good result is reached owing to external factors, state regulatory authorities compelling financial institutions to use modern safeguards.
Medical institutions are the most vulnerable sector: a total of 39% attacks reach their target given the fact that healthcare niche possess the most “sensitive” information. Anthem, Inc., Premera Blue Cross, CareFirst BlueCross BlueShield, Beacon Health System, UCLA Health, and Excellus BlueCross BlueShield lost data of over 110 million patients and employees of medical centers. The list may be continued.
Even media giants and IT sector are not secured against leakages. Sony Corporation has been involved in scandals associated with information security perimeter breach by third persons several times. Dating sites Ashley Madison and Adult Friend Finder got into the thick of troubles as well. And even one of the largest hostings, globally known GoDaddy, failed to maintain its security integrity. Online services attacks are successful in 31% cases.
Oil and gas industry statistics is unfavorable as well: about one-third of companies use obsolete SW and security systems that may be easily hacked by tinkerers.
And here any manager raises the fair question: what should we do? How a reliable security system may be built without spending all money of the world? The fuel to the flames is also added by Federal Law “On the Security of the Critical Information Infrastructure of the Russian Federation” (FZ-187) obliging business having critical infrastructure to join the State System for Detection, Prevention and Liquidation of Computer Attack Consequences (GosSOPKA). But how can one easily and safely find the system vulnerabilities?
The so called penetration testing, or pentesting, will help to resolve the situation. When testing, cybersecurity professionals use the same methods as hackers: attacks, cracking, password theft, fishing, viruses, and social engineering. Their aim is to find a point of failure and get access to IT systems.
Failure of a penetration test is a perfect result as it is the evidence of the security system reliability. But if the security perimeter has been breached, a business owner will get a number of material advantages.
First, the vulnerability will be found before hackers detect it. Consequently, there is time for correction work.
Secondly, the priorities for investing are set. It doesn`t pay to repair something that works. Fixing of vulnerable places is much more efficient and less expensive.
Thirdly, you get a “special opinion”. You may trust your IT experts and use the most expensive software products. However, this does not guarantee 100% protection. There is always a chance that vulnerability will get out of the experts’ focus. The security system crash test result will either prove its reliability and experts’ competence or will help to anticipate potential problems.
Penetration testing is one of new packages offered by Softline and Infosecurity. Though the service is relatively “young”, we already have some examples of the penetration test performed for different companies.
Big company A decided to check the reliability of its security system. It is engaged into B2B business: sales of goods to resellers, online stores, which, by connecting to a special online platform, may order wholesale quantity of goods and resell them at their own resource.
The penetration test resulted in full access to database with logins and passwords of all online stores of the service, as well as information regarding funds on the partners’ balances.
After capturing such information, intruders would be able to purchase equipment to the amount of million rubles, or could get money out of accounts. In such case, the anti-fraud check would be ineffective. Having full access, a hacker could rewrite any contact information of a reseller, and confirm almost any action!
Our services provide for several types of testing: external, internal, and sociotechnical. It is the first one from which case 2 is started.
Company B, a software developer, decided to test its external line of defense. As a result, our experts penetrated into the internal network. The management intended to go further and find out how far a real hacker could go, and the internal testing commenced from that moment.
The customer’s network consisted of three domains: for developers, for testers, and main domain. However it was possible to get access to the entire infrastructure from each domain.
Our experts analyzed the entire server segment, detected vulnerabilities, promoted their access rights to the Administrator level, and got access to online banking, file storage with commercial information, and innovations.
If such information were received by an intruder, the damage would be huge!
In the third case, a very big company with several thousand employees was tested. The external network turned out to be considerably protected, and small vulnerabilities detected did not affect the company’s operations, and information security.
Softline and Infosecurity experts commenced the internal testing, and went to the site in order to try connecting to the internal network physically, via Wi-Fi or twisted pair.
During analysis, a huge number of vulnerabilities were detected in server and client segments, as well as no filtration of Internet traffic and data transfer via LAN was found out.
In case competitors took advantage of such vulnerabilities, they could easily get access to all correspondence, documents, and critical information thereby stopping and driving the international business to bankruptcy.
The more technical and human resources the company has, the more chances of data leakage exist. A complex system has always been, is and remains the complex of “blind spots” which are quite difficult to discover.
Even a “schoolchild” poses a threat. However, serious attacks always constitute a targeted order from competitors.
Penetration testing is much cheaper than losses from data leakage and recovery.