Author: Stuart Rorer, Senior Consultant at A-LIGN.
“Big Box Store ABC Has Been Hacked, Customer Card Information Exposed!”
“E-Commerce Giant Acme Inc., Suffers Cyber Intrusion”
Headlines like these are appearing each day, most of which seem to apply to big box stores and large public companies. With the rise of these attacks, companies are scrambling to enhance their cybersecurity and protect their data from the next big breach. While preparing to defend themselves against cyber-attacks, companies easily discover the large expense that can go with it. After assessing the costs, some companies, especially smaller ones, begin to wonder if the cost is worth it.
From past conversations, I have heard many managers say they felt that their company was too small, or not as well-known as larger companies so they would not be considered for being a target. I call this hiding behind the illusion of insignificance.
It is an easy mistake, but many people fail to realize that when it comes to finding a target, very seldom do cyber criminals care how large or small a company is. The cyber-attacker has many tools at his/her beck-and-call, many of which are automated. While there are some attackers who want to target a specific entity for a cause or purpose, many instead are just as happy finding something they can exploit. To illustrate the matter, a quick example is given below.
Hacking Because They Can
Released on an online public hacking forum is the news of a new exploit that affects a popular web server platform. After skimming the details, the attacker locates the version numbers which are affected. Using an automated tool, or even a bot, the attacker starts probing large network areas for servers with the vulnerable version of software. Checking back later in the day, he/she is exuberant in finding well over 500 targets to choose from in such a short period of time. The tool was not able to differentiate between a large or small company, it just scanned a range of addresses and looked for a version number. It is for this very reason that no one can assume that they will not be attacked based on their public presence or the size of their company.
Knowing that no company is discriminated against in the process of target finding, the question still remains on what can be done to protect a company’s information and not break the budget while doing so. While some resort to hiring a full staff of information security professionals for their company, others do not have the funds to dedicate towards providing the salaries of a full team. This is where companies can use penetration testing services to evaluate their information security posture to identify weaknesses before the “bad guy” does.
A-LIGN’s Penetration Testing Services
A-LIGN’s penetration testers duplicate many of the techniques that computer criminals will try against your company. During their assessment, they will look for holes in the infrastructure and try to exploit what is there to show the client the depth of vulnerabilities their company is exposed to. The level of exploitation is agreed upon by the client and A-LIGN prior to testing so as not to create any unnecessary disruptions. After the testing period is over, the results are presented in a report format so they can be reviewed. Once reviewed, the company can begin to take action to fix the issues that were found, in hopes of preventing a true attack from occurring.
Preventing, and defending against cyber-attacks is not an easy task but is critical in today’s cybersecurity landscape. There are many proposed methods and solutions, but a penetration test is a tried and true approach to evaluate your security. Companies are like the human body: when it comes to a treatment plan, there is not always a one size fits all solution. It is important not to rely on being small or less recognized than other companies as a form of protection. In making decisions for protecting your information, it is important to know what is vulnerable and where. Having a penetration test can help to make this assessment and can help provide the details needed to make better decisions in defending your infrastructure.