Toward the end of 2014, an unprecedented cyber attack was launched on Sony Pictures Entertainment which saw one of the world’s biggest brands brought well and truly to its knees for several weeks. This was then followed by similar attacks on the PlayStation Network and Microsoft’s Xbox Live service, which in both instances left millions unable to log into their accounts over the crucial Christmas period. This was of course interpreted and accepted as an annoying inconvenience by most, but for those running their own businesses where data plays any kind of key role, the whole affair constituted a stark lesson to be learned.
The long and short of it is that if these kinds of global mega-brands are in many respects at risk of such attacks, what chance do the rest of us have? Well, the simple answer is a very good chance indeed as while the attacks were indeed carried out by the highest-level hackers in the world, experts believe they were all 100% preventable. Though wholly adamant that it simply is not and was not the case, there are those who continue to insist that had both Sony and Microsoft implemented more robust pen testing practices, the data security breaches may never have happened.
In the Real World
All this talk of high-level security and targeted hacking campaigns can lead to the conclusion that it’s the kind of thing the real-world business operating at ground level needn’t worry about. Sadly, this is exactly the kind of attitude that welcomes disaster. The thing is, as more and more businesses than ever before make their way to the web, criminal gangs are likewise redirecting their efforts to hacking and general data security manipulation. As such, to operate an online business of any kind without the necessary protection is a little like running a conventional store without a lock on the door or any kind of security system – you simply wouldn’t take the risk. And while it might cost you a fair bit to make sure the whole place was covered, it’s an investment you couldn’t afford to overlook.
This is why it’s so surprising that even this far into the web revolution, there are still so many businesses and business owners that are doing practically nothing to watch over their online interests. In the hands of those who know the subject best of all, penetration testing doesn’t have to be overly complicated or expensive and yet can help bring the modern business the kind of wall-to-wall security that may otherwise be wholly impossible.
In terms of what a penetration test is and what it can bring a business, it’s a case of taking a look at things from the perspective of a hacker in order to see what they might do and how they might do it. It can be handled in an infinite variety of ways, though will in most instances incorporate the following elements:
- A controlled hack will be carried out on the data systems and networks of the business without the vast majority of staff being informed. The reason being that it’s supposed to give an accurate insight into what might happen on a regular working day, as opposed to a day when all staff members are actually expecting a hack to take place.
- The hacking process will help identify where and to what extent there are any holes in the data security practices of the business, which could be anything from minor to catastrophic. In all instances, these holes in the security ‘fence’ will be fully probed in order to ascertain exactly what they may offer a hacker access to if breached.
- No changes will be made at the time of the hack, but instead all findings will be recorded and presented to the business owners in the form of a report. This will detail exactly where the problems lie, the consequences of a hacking attack and a proposed plan of action for plugging the holes where necessary.
- A proposal may also be offered to give suggestions as to how such problems could be avoided next time by the company’s site/app design team and those that watch over security on a day to day basis.
The simple fact of the matter is that until you take a look at the subject from the perspective of a hacker, you have absolutely no idea what kinds of flaws may be present in your systems and to what extent. And it’s not until you know that you can do anything about them – waiting until they invite an attack from malicious hackers is simply not the way to go.