Are we Secure?

By guest writer Gregory Pickett.  Greg is a sought after Defcon speaker and leads RJSL’s (www.RJSLgroup.com) internet / technology infrastructure security practice.  He can be reached at gpickett@RJSLgroup.com

DC GROUPS logo

This is the question that many of us should be asking about our business and it’s systems but unfortunately most of us don’t really know.  Sure, there are many among us who are told they are secure but how do they know.  In most cases, it is because someone told them that they were secure.  If they asked the web server guy, what would he say?  He would probably say, “Of course, we are secure.”  Same goes for the email server guy, and the guy who handles the network.  If not, you might be asking what having we been paying you for all these years.  But are you really secure just because they say you are secure?  I am sure that every business that was hacked also thought that they were secure the day before it happened just because someone said they were.  So the question remains the same.

If we are stuck in the position of only having been told that we are secure but we don’t really know, how do you move to that point?  This is where testing comes into play.  OK, but what kind of testing.  There are several types of testing such as security audits, and vulnerability scans but the real action happens with penetration testing.  This is when someone, under controlled circumstances, actually tries to defeat your defenses.  With penetration testing, you move from someone telling you are secure to knowing you are secure because someone has tried to hack your systems, just like the bad guys would.  Using the same tools, techniques, and methods as hackers, they evaluate your systems and tell you the avenues of attack.  With permission, they escalate and attempt to breach your protections and take control of your systems and your data.  Afterwards, they prepare a report, tell you how they got in or if they didn’t how they tried, how they did what we did, and how to remediate it so that it doesn’t happen again.

With penetration testing, you not only learn if someone could get in but also how they would do it and if your supporting infrastructure and teams could detect and handle it.  Is your monitoring sufficient?  Would it let you know something was going on?  Would your team know what do?  Could they remediate it properly and recover the systems involved in a timely manner?  All these sorts of questions and more can be addressed during a penetration test.

Keep in mind, security audits and vulnerability scans are still important and provide different types of benefits but there is no better way to know whether you really are secure or not than penetration testing.  It is not a guarantee that you won’t ever get hacked but it is the closest you can come one to knowing for sure where you really stand.   Ultimately though, the important question is answered.   Are we secure?  Yes, because someone actually tried.

Advertisements

About Richard Lee
Experienced finance and operations professional. Currently partner in five companies, adjunct professor of economics at Columbia College and executive contributor to a small business blog (www.SMBmatters.com); following corporate finance, M&A and management consulting tenures with Orbitz and Diamond Technology Partners; and six years of service with the United States Army.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: