REDLEGG BLOG
how-to-test-your-security-operatons-redlegg-cyber-security

4 Ways to Test Your Company's Security Operations

1/23/19 10:43 AM  |  by RedLegg Blog

View RedLegg's Pen Test Offerings

The last couple years have been a challenge to businesses that haven't yet fully addressed their cybersecurity issues. From the infamous Equifax breach in 2017 to the more recent Facebook-Cambridge Analytica breach, businesses are quickly realizing the grave threats they face every single day they're online.

In this article, we outline the best ways to keep your applications and networks secure using penetration testing and other effective methods. Please bear in mind that this list is in no way exhaustive. Without further ado, here are the 4 most common ways to test your company’s security operations:

1) Network Testing: This type of testing helps prevent unauthorized remote access to your servers and systems by eliminating or minimizing network vulnerabilities.

  • Vulnerability Assessment – As the name suggests, a vulnerability assessment discovers security vulnerabilities and other flaws in your network. These flaws can grant attackers an easy way into your network.
  • Penetration Testing – Attacking your own network to find exploits that can be used by bad actors is called network penetration testing. This testing unearths real-world, practical network vulnerabilities that can be misused if left unfixed.
  • Red Team Exercises – Although traditionally used by the armed forces, this exercise can help your company test its cyber defense readiness. One security team (red team) launches an attack on your network, while the other (blue team) tries to defend against it.

2) Application TestingEven the most secure network won't help if your software/applications are plagued with vulnerabilities. This type of testing is essential, with so many internet-facing applications being used today by businesses.

  • Application Security Assessment – Applications have become a choice point of attack for cyber criminals. Web and mobile application testing not only helps you identify security exploits that could be misused, but it also ensures that they remain compliant with existing cybersecurity laws and guidelines.
  • Static Source Code Analysis – Analyzing the code of an application before execution is an effective debugging method that uncovers many of the flaws present in it. This analysis includes both security and operational flaws that need to be fixed to deploy your application in a secure and stable manner.
  • Dynamic Source Code Analysis – Once code is executed, it interacts with various other elements of your network or your server (application servers, databases, and so on). Code analysis tools designed for this stage ensure that no other flaws crop up when your application is running.
  • Manual Source Code Review – Sometimes automated tests aren't able to identify flaws that humans can. Manually assessing the source code of your application is an essential application testing phase that will help you find and fix security issues missed during automated analysis.

3) Social EngineeringIt's not always a network or an application that's the weakest link in your company's security. Social engineering practices try to exploit the human element of your business by tricking users/customers/employees/staff.

  • Phishing Assessment – Phishing attacks are emails from a seemingly legitimate sender, designed to steal sensitive information like passwords, usernames, and other credentials. Assess your employees' susceptibility to phishing emails, and train them accordingly.
  • Vishing Assessment – Vishing (voice phishing) attacks involve attackers physically calling someone to obtain sensitive information. Assess your employees' readiness to handle such attempts, and train them to be wary.
  • Smishing Assessment – Smishing (SMS phishing) attacks use simple text messages to entice you into giving up critical information voluntarily. This comes in many forms, such as messages about lottery wins, free vacations, and more.
  • Physical Breach Assessment – You might have the best cybersecurity team in the world, but even they can't stop someone from getting close to your business and physically entering the premises unless physical security controls are in place and enforced. Assess sensitive areas and ensure that your employees are trained to be wary of such attempts.

4) Other Methods Even if you've done your due diligence when it comes to networks, applications, and even people interacting physically with your business, you might need to dig deeper to uncover some security holes, especially in facilities like factories and laboratories. These tests are designed to ensure that your hardware as well as your offices and data centers are resistant to any intrusion attempts.

  • SCADA Testing – SCADA (Supervisory Control and Data Acquisition) penetration testing makes sure that your control mechanisms are free of security flaws and can't be misused remotely. This is done by performing a series of tests on the network and application of this system.
  • Embedded/ICS Testing – Embedded and Industrial Control Systems (ICS) are sensitive parts of any manufacturing facility, pilot plant, or factory. Testing them to ensure that attackers can't misuse any security issues is paramount for these types of facilities.
  • Physical Security Walkthrough – Assess your systems by walking through your facility. Make sure that every access point is protected by passcodes or scanners. Someone gaining easy access to your systems by physically walking up to them is an important issue that needs to be assessed and addressed.
  • Board-Level Hardware Testing – Your hardware is as vulnerable to attacks as your software is. Test even board-level hardware to ensure that your hardware isn't plagued by exploitable security issues. The recent Meltdown and Spectre vulnerabilities are excellent examples of how hardware-level issues can leave your data open to attack.

Every business is different. Consequently, every cybersecurity plan has to be tailored to a specific business, and requirements will vary across companies. Although the list above does cover the most common methods of testing your company’s security operations, it doesn't account for specific security risks and needs. While your business might need only a few of the above tests to remain secure, others might need a more comprehensive series of tests.

View RedLegg's Pen Test Offerings

Get Blog Updates

Related Articles

Critical Infrastructure Protection And Security with Phil Grimes pen testing, industry news

Critical Infrastructure Protection And Security with Phil Grimes

We're reviving an oldie-but-a-goodie this week as we revisit the heart of Critical Infrastructure Protection and SCADA ...
Optimizing Your Vulnerability Scans: From Beginning To End pen testing, vulnerability

Optimizing Your Vulnerability Scans: From Beginning To End

A vulnerability scan should be concentrated on compiling a complete catalogue of vulnerabilities that affected the ...