Vulnerability Assessment and Penetration Testing
By HSI | September 14, 2018
Corporates spend a lot of their IT Budget on security – to protect their networks, applications and data from attack. However, they are not always successful. Just in the last month you would have read about a large private bank in India, that lost Rs. 94 crore to hackers, and to a prominent airline where 380,000 Payments card information was compromised. Why and how does this happen?
The simple reason is, that 100% security is next to impossible. The IT Security person has to succeed every time, the hacker has to succeed only once. The IT Security person needs to make just one mistake, the hacker one right move at the right time. The odds are overwhelmingly in favour of the bad guys, and there are just too many of them.
So, what can one do after spending all the money to secure your systems? Does one wait for a hacker to attack, and hope (and pray) that our defenses stand up and that there are no unpatched vulnerabilities, no weaknesses that can be exploited? Luckily that is not the only option. Companies can (and do) hire “ethical hackers”, who with prior permission, try to do exactly what the hackers do – try and compromise your networks and data. The only difference is, that their motive is not to steal your data or bring down your network, but to identify and bring to your attention any loopholes in your security that you might have missed addressing. You can then take care of them before they get exploited – and guidance for this is also provided.
You can either just do “Vulnerability Assessment” (“VA”) where the objective is just to find the vulnerabilities in the network and prepare a report, or you can include “Penetration Testing” (“PT”) in the scope as well. Here, once a vulnerability is found, the ethical hacker will try to exploit it, to see how deep he can get into your systems and what data he can compromise. In both cases, you have the option of a “Black Box” or “White Box” approach. In “Black Box”, absolutely no information is provided to the “hacker” and he has to try to brute force his way into the network, whereas in White Box, he is provided information about the company assets, IP addresses and sometimes even login credentials to check if these can be abused to take advantage of the company. There is also a “Grey Box” approach in which some partial information is provided!!
But whichever approach is taken, the fundamental idea is to discover the vulnerabilities in the corporate network and then address them before they can be taken advantage of by the malicious hackers. In order to be effective, the VA/PT exercise must be carried out regularly usually at least twice a year. It should cover the network assets, web applications and mobile applications at the very least. Sometimes IOT systems are also included in the scope. After the report is provided, the weaknesses identified have to be promptly fixed and a “re-test” done to ensure that the loopholes have been indeed closed. The re-test is typically offered free of cost.
Hitachi Systems Micro Clinic has a mature practice, offering this service to our customers. You can have a look at our sample reports and we can even do a limited POC of this service for one of your applications, so that you can get an idea of the vulnerabilities that exist – if any. Do write to us at marketing@hitachi-systems.com for further details!