Cybercrime is growing, and the perpetrators are becoming more sophisticated.
Worse, they’re getting really good at networking – sharing techniques, code and successes that can multiply the effects of an attack exponentially.
Just last month, the huge Mirai attack launched a bot army of IoT devices on critical Internet infrastructure that supports big-name websites such as Twitter, Spotify and Netflix. The attack spawned copycats after the code was released on an online forum, and the effects are still being felt.
One of the biggest threats affecting organizations is attacks against applications, especially Web applications. The majority of respondents to a recent survey by the Ponemon Institute said applications get attacked more frequently and more severely than the network layer. And the most common security incident due to insecure applications were SQL injections (29%), DDoS (25%) and Web fraud (21%).
Faced with such well-armed and organized foes, IT organizations have to be on top of their game to protect the enterprise from cyberattacks. But it’s getting harder to do as pressures mount to develop, test and release applications more quickly – and more cheaply – than before.
Some firms turn to third parties or open-source assets to assist with coding needs, but the results often come with known vulnerabilities built in. Poor configuration, weak default settings, outdated technologies and inadequate patching are other issues that boost the likelihood of an attack’s success.
And if the bad guys do get through, it could be months before the organization even knows it’s been breached.
This is scary stuff and a really difficult environment for enterprise IT to operate in. But there is one key step that can help any IT organization in this situation: penetration testing.
Penetration testing involves using highly skilled security specialists to uncover potential attack vectors and provide a comprehensive view of cybersecurity risks.
Testing can target external and internal networks, Web and thick client applications, embedded computing devices (including medical devices) and wireless networks. It can even feel out physical security controls and the potential for employees to fall victim to phishing scams.
Since most enterprise IT organizations already have a lot on their plate – with little time or budget to spare – an enterprise may consider bringing in a skilled partner for this important work. And I recommend repeating the process two or more times a year to ensure a constant evolution of security management.
Penetration testing can be a great, cost-effective way to get a handle on application security, while putting other measures in place to enhance cybersecurity in the long run. It’s a key first step everyone should consider in this high-risk environment and the only way to truly know if the tireless effort of protecting an enterprise is actually working.
Jason Hoerner is the managing consultant of CSC StrikeForce Security Consulting. Connect with him on LinkedIn.