They want to get inside your IT systems. Theft, control, and sabotage are all motivations for attackers seeking to exploit “attack paths” leading them to your data assets, your bank accounts and your system super-user privileges.
Those attack paths may not be anything you expect – in fact, they are more likely to be vectors you are unaware of, because you already blocked off access through the routes you know about. This situation calls for a different approach to IT security.
Network penetration testing does this by starting from the position of a hacker or saboteur seeing your Los Angeles distribution company without making assumptions.
1. Prioritize with the Business Data Owners
You could use network penetration testing for everything under the sun. Indeed, this is the principle of brute-force hacking of passwords for example that rapidly runs through all possible combinations of characters.
However, what you want to know first is whether your most important assets are protected. The business managers in areas such as shipping and finance should be able to point out the data that is the most important and which applications use or interface with that data.
2. Do It Inside and Out
Threats exist on both sides of your organizational perimeter. Your ‘pentests’ (penetration tests) must cover both possibilities:
- External pentests mimic the tactics of anonymous attackers coming in over the Internet.
- Internal pentests gauge potential risk due to employees, service providers, and visitors.
3. Run Network Penetration Testing at the Right Times
Penetration testing should be a regular activity. However, some events or changes can also trigger a requirement for extra pentests.
- New IT/network equipment or software
- Major modifications or upgrades to computing or networking installations
- Office moves or new offices
- Upgrades to security technology
- Changes to end-user access profiles and permissions
4. Get the Necessary Permissions
Penetration testing done correctly may cause systems to crash. Then you’ll know what you need to fix before a hacker finds out. Therefore, testing under normal business conditions and simulating surprise hacking needs two things:
- Appropriate authorization from those empowered to give it (CEO and department heads, for example).
- A predefined (and pretested) security incident response plan to properly recover from any test impacts.
5. Prioritize Fixes
Depending on how thorough the testing is, you may end up with a long list of items to be remedied. Priorities will typically follow those of your business with critical systems and data repositories being attended to first.
IT security is always a compromise between efforts made and protection achieved. You want the best compromise possible by tackling the items in decreasing order of business impact and likelihood of happening.
6. Consider Specialist Assistance
Getting inside the head of the would-be attacker is an important part of effective network penetration testing. This is sometimes difficult when you see your systems day in and day out as a user or manager. For this reason and also because of the technical expertise required, it may be advisable to work with reliable professionals to achieve the best overall results.
Has your Los Angeles distribution company conducted network penetration testing? Do you have any additional tips? Please share your thoughts in the Comments box below.
And to follow-through on the tips introduced in this short article, be sure to download your free guide, How COOs at Los Angeles Distributors and Manufacturers Get More Done: A Guide to Productivity, Data, Staffing, Delegation, and Making It Home for Dinner Most Nights.