What are the gaps in your Cloud security? Is your information really safe? Have you done any kind of penetration testing to check it out? If you have answered in the negative, it is never too late to begin.
Penetration testing or security assessment is a process of mimicking a hacker and testing the security gaps in your Cloud infrastructure. It helps you identify vulnerabilities in the system and ensure that your system remains compliant to the various legal mandates that surround information collection and management.
Penetration tests are preventive tests. They are preventive, because they alert the organization to system weakness and help the organization plug any security holes that may exist or may arise. To illustrate the point: when a new application is rolled out by you or your SaaS provider, the application interface may interact in unexpected ways with the existing operative interface to create security vulnerabilities that never existed before. It, therefore, makes sense to make a security assessment with every new rollout. This is especially true where the application handles sensitive data.
Penetration tests are maintenance tests. These tests are to be repeatedly conducted to ensure that the security measures put in place—firewalls, encryption, DLP and IDS/IPS–are working properly.
Preventive test is a legal requirement. Regulations like PCI DSS, require penetration tests to be conducted at specified intervals for passing the audit. The penetration test report is a record of the effectiveness of the security systems of the organization and is a measure of its ability to deal with cyber attacks.
Different organizations use different security assessment methods. The tests are customized in accordance with the goals and objectives of the organization.
A typical penetration test will be conducted on the following lines:
Step 1: Goal Setting—Setting the goals for the penetration test.
Step 2: Reconnaissance—Identifying the online systems that are being audited.
Step 3: Vulnerability Scanning—scanning the system to identify possible areas of vulnerability.
Step 4: Exploiting Vulnerability—Attempting to gain access to the information stores/ databases using the identified vulnerability.
Step 5: Brute Force Testing—Testing the system for weak passwords and attempting to break encryption, etc.
Step 6: Phishing and Social Engineering—Exploiting people resources for cyber attacks by phishing emails, malicious USB sticks etc to gain access to systems.
Step 7: Controlling, Pivoting and Gathering Evidence—Accessing the systems with key loggers, password hashes etc and taking control of the screen or jumping to different segments of the network and gathering evidence that the system is vulnerable.
Step 8: Reporting—Generating reports on how the penetration test worked and whether the tester was able to penetrate the network and acquire information.
Step 9: Remediation—Listing out of the areas of vulnerabilities and suggesting remedies to plug the security gaps
Penetration tests can be expensive and organizations need to be selective in their security evaluation. They must identify and select the most important digital assets for security assessment.