Every day, companies large and small are falling victim to corporate espionage, hacktivists, professional hackers and insider threats. Many of these companies had no idea what vulnerabilities were tied to their websites, corporate networks, online services or lack of personnel training and compliance before they were compromised and suffered tremendous losses in fines, settlements, intrusion mitigation, technology upgrades and retraining. Wouldn’t it be great if you didn’t have to wait to be hacked to know what dangers are lurking on their network?
That’s where the team at NovCon comes in. Not only can they show you vulnerabilities in your networks that may have been overlooked by administrators or determined insignificant by management, but also show what could have been exploited and the losses that could have occurred in a real world scenario using those same vulnerabilities. This is accomplished by conducting a penetration test (or “pentest” for short).
A penetration test is a simulated attack in which a Red Team (a team of security professionals) tries to determine the most likely weaknesses in a target network that real-world hackers might exploit to gain access or proprietary information. The Red Team uses many of the same tools and techniques to gain access to the target network as real-world hackers use every day.
The Red Team at NovCon Solutions continually works to ensure they are using the latest valid real-world techniques by staying up to date with the security industry conferences and research, sharpening our skills whenever possible. Compliance certifications, checklists, vulnerability scanning and training can only take you as far as when those tools were written. But the real world is constantly changing, and your clients’ potential enemies are constantly evolving as well. Consider compliance certifications and vulnerability scanning as a baseline in your clients’ security. Penetration testing is the next level to see how well that baseline can withstand simulated real-world attacks, and how you can help your clients mitigate the discovered risks and better orient the their defensive postures to keep them safer in the real world.
Sadly, no simulation can predict every possible attack vector and potential vulnerability that may exist in the future, and penetration testing is no different. Discussed later in the methodology section, our goal is to find the most likely avenues of attack with the limited time and resources provided so that your clients can secure those vulnerabilities and prevent them from being a “low-hanging fruit” target for an attacker.
Consider the world of information security similar to the world of physical locks. Given enough time and money, any physical lock can be overcome, whether by lock pick, dynamite, or missile attack. The value of a lock, therefore, is in the amount of time, effort and resources that go in to breaking it. A smart adversary will not spend thousands of dollars to defeat a lock when there are plenty of other weaker locks (“low hanging fruit”) at other companies with similar data that require almost no effort to break.
Similarly, a smart attacker will not spend an amount of time, effort and resources to defeat a lock that exceeds the perceived value of what is behind it.
So then, the strategy is to make it as difficult for the attacker as possible by finding and closing all the easily exploitable holes. Applying available time, effort and money to bring up the baseline of your clients’ security will go a long way to making them less of an appealing target in the real world.