Cyber risk is one of the most-watched by organisations today, due to its recent emergence, poorly understood nature, and wide-reaching implications.
According to Samir Khare, vice president and global cybersecurity services delivery lead for Capgemini, the present cyber risk approach of many businesses is very IT-centric. This means that most businesses are focussed on detection and response to possible attacks on their IT assets, and certain other aspects of cybersecurity are being neglected.
“Prevention in terms of good threat intelligence and robust vulnerability management (scanning and patching) is a neglected area,” he said. “Often, most cyber incidents are a result of vulnerability exploitation and/or lack of information of an evident threat, as well as poor education.”
Another widely neglected area is identity, which is fast becoming the new attack surface. As a result, businesses are grappling with funding to implement a good identity lifecycle and governance tool.
Khare added that compliance is fast gaining importance in the risk management approach of corporations, as regulatory standards are becoming stringent and some, such as GDPR, have financial consequences for non-compliance.
What is penetration testing?
One important tool to test an organisation’s cyber security is penetration testing, also known as a ‘pen test’. According to Khare, it is an authorised simulated attack on a computer system, performed to evaluate the security of the system. It involves simulating the actions of a hacker, using various tools and techniques, to exploit critical systems and gain access to sensitive data. It is a crucial tool that helps strengthen an organisation’s cyber security posture.
Some of its benefits include: testing the security posture real-time and providing crucial inputs to improve, fix, or strengthen the state of cybersecurity, protecting the brand image by securing and safeguarding the organisation’s and customers’ data, providing a benchmark for building customer confidence when dealing with their sensitive infrastructure, meeting legal and regulatory requirements, and conforming to industry best practices.
How is a pen test conducted?
Khare shared the following steps on how a penetration test is done:
- Planning and preparation – Initial communication with the client and an information collection request is sent
- Information gathering and analysis – Information about system to be penetrated is collected. Active and passive analysis is performed to gather more information about the target system (e.g. banner grabbing)
- Vulnerability scanning using automated tools – Tool-based vulnerability scan is performed to identify critical, high, medium and low risk severity vulnerabilities
- Manual vulnerability testing – A comprehensive manual assessment of identified security vulnerabilities is performed to remove false positives and capture proof of concept for confirmed security vulnerabilities
- Penetration testing/exploitation – Based on approvals, exploitation of identified security vulnerabilities is performed
- Analysis and reporting – Technical and management reports are shared with the client
Khare said that after a penetration test, organisations should thoroughly evaluate the identified security vulnerabilities and devise an action plan to quickly remediate critical and high risk security issues.
“Later, work on medium and low risk issues and track them until closure,” he said. “Post-remediation of all the identified security vulnerabilities, a re-test should be conducted to ensure that all vulnerabilities were actioned upon.”
Looking forward, Khare said that in the next few years, the cyber defence strategies of corporations will have to be based on the business risk, and not risk to IT assets alone.
“A risk based approach will be needed to prioritise risks and countermeasures before undertaking investments in tooling,” he said. “Greater emphasis will be needed on unearthing insider threat. Most security strategies today are based on the external threat environment.
“Speed of detection and response will be enhanced by effective usage of tooling on user and entity behavior analytics (UEBA), security orchestration, automation and response (SOAR), and AI. As the connected world increases in scope, boundaries between IT security, operational technology security, and electronic physical security will diminish and demand integrated monitoring and response systems.”