Just last night, I finished and submitted my final manuscript
for my 12th book. It is all
about Ransomware and Penetration Testing.
We all know to varying degrees how dangerous Ransomware can be, but believe
it or not, it has been around for the last 30 years or so.
In fact, the first Ransomware attack was delivered using a floppy
disk. But this threat variant has
evolved into something that has become extremely dangerous and costly.
For example, the Cyberattacker of today is not just locking
up your computer and encrypting your files.
Rather, they are now threatening extortion like style attacks, where
they will expose your PII datasets if you don’t pay up.
Or worst yet, they can even sell it on the Dark Web. But as I said stated in the book to be that
we all are at risk of becoming a victim of Ransomware, the key is in learning
how to mitigate that risk from actually happening.
One of the best ways to do this is through what is known as a
Penetration Test. This is where you hire
a team of individuals, or even a company that specializes in doing this, and
they literally try to break down your walls of defense. In other words, they try to take the mindset
of an actual Cyberattacker, and try to launch and throw everything and anything
they have towards your IT and Network Infrastructures.
You may be asking at this point why go through all of
this? Well, this is about the best way
to truly find out where your weaknesses and vulnerabilities are. In many ways, its like a cardiologist
conducting an angiogram on your heart.
They will not truly know where the blockages are until your
heart is illuminated with the special dye.
Then from there, the course of proper medical treatment can then be
followed.
The same thing with a Penetration Test. A tester will not know what kinds of remediations
and controls that you need to put into place to cover your gaps until they do
the needed testing. But it is very
important to keep in mind that this all what is known as “Ethical Hacking”.
In other words, the Penetration Testing team not only needs
to you have your explicit permission to do all of this, but you and they have
to sign a contract. And, if the Penetration
Testing team feels that they need to do more tests, then they will have to
explain the objectives and also ask for written permission in that regard.
Personally I have never done a Penetration Test, but I have heard
stories about it form people I know that actually do them. But this morning, I came across a very
interesting article from an individual that does this kind of work, and he offered
three tips of free advice on how to keep your business safe. Here they are:
1)
Adopt the Zero Trust Framework:
This is one of the biggest buzzwords
in the Cyber industry today, and the basic mantra of this is to “Never Trust,
Always Verify”. What it all comes down
to is that no employee in your business should be trusted when it comes to access
of shared resources or PII datasets.
This even transcends down to your employees that have been with you the
longest. Anytime that anybody wants
access to something, they have to be verified.
But the key here is that this happen with at least three or more different
authentication mechanisms. This include
a password, a PIN number, an RSA token, or even Biometric. Another part of the Zero Trust Framework is to
break out your IT and Network Infrastructures into different zones or segments,
with their own layer of defense, using Multifactor Authentication. So essentially you are breaking away from the
traditional Perimeter Defense model, which is so easy for a Cyberattacker to break
into these days. Although this is all heavily
preached, it is rarely practiced in the real world. According to a recent survey to the online
magazine called “CIO”, only 25% of organizations have actually deployed this
new approach. More information about
this can be seen at the link below:
https://www.cio.com/article/230351/network-segmentation-as-security-imperative.htm
They key takeaway here is that you should
have the right mix of controls in place, both from a logical and physical
perspective.
2)
Keep your IT/Network Infrastructure Modern:
By this, I don’t mean that you
should buy everything out there that has come out. But keep your systems and devices all updated
with the latest patches and upgrades.
This includes firmware. Whenever
you get that “End of Life” notice, it is time to start thinking of replacing
your hardware. Most vendors are pretty
good at giving you advanced notice about all of this, and I know for a fact
that Microsoft gives customers at least 12 months’ notice before anything comes
this extent. But even after this, there
is still a usually a small grace period in which full support is still
provided. The best solution here is to
use the Cloud, like Azure. With this,
you don’t even have to be concerned with applications running out of a service
life. Microsoft takes care of all of
that for you.
3)
Monitor your logs:
Probably the best way to find out
if anything is awry is to keep a constant check on the files that are outputted
by your network security devices. Now,
this may sound like a horrible and tedious chore to do, but you can automate
this entire process, by using both AI and ML.
For example, they can filter through all of the logs, and alert you and
your IT Security for any abnormal behavior in network traffic patterns. Also, they will be able to filter out all of the
false positives that come in. That way
your team can focus on what is for real and legitimate.
My Thoughts On This:
There are also many new buzzwords that are coming out in
Penetration Testing, and they are “Automatic” and “Autonomous”. Many Cyber vendors of today are trying to deploy
software packages that can conduct Penetration Testing on their own, proclaiming
the fact that human intervention is not needed.
Now, I have to put a disclaimer here.
I have not personally tried out these tools myself, but if I
were having a Penetration Test, I would still want an actual, real live human
being doing it.
I am all for automaton for certain parts of a Penetration
Test, but you cannot rely on just that solely.
You still need that human presence to walk you through what was
discovered, and what the remediations are to fill up your gaps and
vulnerabilities.
No comments:
Post a Comment