Have you had a penetration test?
Initially you may say yes, but remember, we’re strictly talking about cyber security…
I’ve been a freelance ethical hacker for many years, I love it, I can call myself a fluffy goat and write wacky blog posts. When engaging with clients, I like speaking as a normal person, its more personal!
I used to come across two type of companies, nowadays I come across three types. So before I would come across a company that either takes cyber security seriously or does not. In the case that they do, successful penetration was typically more difficult and if achieved required a higher level of skill and sophistication. The other 70% of companies were typically very easily compromised in a very short timeframe.
Nowadays I come across three types of companies:
(A) Big budget companies, high level of security, penetration is ever more difficult and exhausting but they do sometimes make mistakes, and when they do, the adverse impact can be immense.
(B) Companies that take some level of precaution, maybe a pen test once a year, maybe have a staff policy, Firewalls, Anti-Virus all up to date, disaster recovery procedures etc. These companies tick the boxes and brace for impact hoping it will never happen and it probably won’t as long as this is maintained and increased proportionately to growing threats.
(C) Companies that THINK they take cyber security seriously. These companies are the vulnerable ones, if cyber security isn’t being paid for then penetration will likely be quick and take a minimal amount of sophistication which means not only are they vulnerable but the market of black hat hackers is ever bigger including low, mid and highly skilled hackers rather than just the top end of highly skilled as A&B are facing. Apart from this, poor security means these companies can easily fall victim to non-targeted and automated attacks by malware worms.
A bit more about company C:
I come across many IT Executives whom perceive their cyber security to be adequate, sometimes even whilst I am telling them that via passive OSINT I can see a way in right now. I find much of the time it is only their perception since if they have not ever engaged a penetration test then it simply isn’t possible to really know if you’re vulnerable or not. In all honesty, it is an attitude from these top level decision makers that can solely render a company insecure just awaiting that critical hack. Maybe controversial, but truthful, I notice this trend frequently as I sell my services as a freelancer and you’d be surprised some of these companies have a turnover of 50m+. Simply because the IT director has their antivirus up to date they sometimes feel secure…. You know, anti virus and firewalls do not stop hackers, sometimes its better for a hacker that you do have them, they could be exploitable or misconfigured. For anti-virus hackers have FUD’s (fully undetectable payloads) and for firewalls hackers have reverse connection tools, and encrypted tunnelling through common ports.
Working in maritime cyber security, it is sometimes fortunate that it is best practice that cyber security is managed by top level executives and not by the IT department. I see why some may consider the UN’s IMO best practice guidelines as a plausible option since some IT departments may not wish to know that over the years they have been wide open or even compromised already as they feel responsible.
Cyber attacks can close companies overnight, by human nature we are reactive, we react once something happens, in the cyber security realm this may be too late. Just don’t be company C.
Get in touch.