SlideShare une entreprise Scribd logo

IT risks associated with outsource of Penetration Testing

S
susanrossyau

news, other

Formation
1  sur  5
Télécharger pour lire hors ligne
LAZgroup SA - Business and Technology Solutions www.lazgroup.com support@lazgroup.com +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerland IT risks associated with outsource of Penetration Testing (Ethical Hacking) Written by Dr.Kretov Kirill from LAZgroup SA Introduction Presently, the idea that information governs the world is not anything new. The swifter and quicker business develops its technological and information framework, the higher is the risk of malicious access to the information. Commercial, financial, managerial, HR and other information is of interest not only for the company where it is created and used, but also for its competitors, and for people who can take hold of it for the purpose of further unauthorized usage and resale. The need for data security is always growing. Data security is a state of data protection when their integrity, availability and confidentiality are ensured. Information integrity means that the information does not change when it is stored or transmitted; availability means that authorized persons can use the information and access it at any time; confidentiality means unavailability of information for those who are not authorized for sufficient and lawful access to it. Information audit can be used to ensure data security. Generally, audit is performed to estimate the current level of data security, to assess possible risks during information storage and use in the company, and also to determine high-priority measures that will minimize the risks and information leakage threat. During audit, we reveal the security level provided in the automated system, and collected statistics helps determine further steps to reach complete information security in the company. Security audit types include penetration tests (or "pentests") aimed at determination of various vulnerability search methods and ways for intrusion into company' information systems from the outside, for example, via the Internet. Penetration tests are mainly performed to estimate the overall company level of protection from external threats and directed attacks, and also to document the actions and to create a report on them. In most cases, the testing procedure consists of three steps, and each of the steps includes a number of quite specific jobs. The first step covers operations planning and preparation. The second step includes penetration into the automated system itself, and the third step is report creation and, possibly, recommendations to improve data security. More often, a company admits penetration testing when it needs to evaluate possible damage from malicious activities, to estimate the security level of specific company information assets, to determine the most vulnerable places in the information security system or to assess the measures taken by the company staff members in case of penetration attempts. However, one must not think that the testing procedure guaranties complete security for the company. Sometimes this is not true, as long as any penetration attempt may cause unexpected and crucial results for the audited company. This article is intellectual property lazgroup.com. There are two major groups of risks we should always keep in mind.
LAZgroup SA - Business and Technology Solutions www.lazgroup.com support@lazgroup.com +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerland Risks due to the Testing Company The first group of risks is caused directly by the company that performs the security audit in the customer company. In other words, a company wishing to have reliable data security checks whether the information is accessible from the outside by intentionally making it accessible, because a lot of vulnerabilities are usually revealed during pentests and testers access the protected data. Is it actually so bad? If the customer wishes to have penetration tests performed, the Customer signs a non-disclosure agreement with the testing company. Despite that the most of companies think this is enough, each penetration test brings additional risks. We should keep in mind that each auditor group consists of persons, and the human factor cannot be ignored. First of all, it is the human factor that makes different penetration testing companies perform pentests differently. Thus, vulnerabilities that can be revealed by one group will remain unknown for another group, and vice versa. That is why, logically, you cannot completely rely on the results of penetration tests to ensure information security. Real penetration threat exists anyway, as long as different groups and different hackers can apply various methods to the revealed vulnerabilities. In other words, such testing will not fully guarantee security in the customer company. Even when the testing is finished and vulnerabilities have been found in the customer automated system, the testing company can simply save the obtained information on the software, network structure, etc. or conceal some vulnerabilities from the customer. Also, the tested company will now be open to all risks of the auditing company. The point is that it is too hard to maintain security within the company. And the risk that employees of the testing company – for example, after they're fired – will use the information to their own benefit or to the benefit of competitors. This is not a rare situation, and the statistics for such cases, unfortunately, do grow. Often, client information leaks from companies that trust too much to their IT service providers (the latter can be outsourcing companies, processing centers, security audit companies). According to the American telecommunication company Verizon Communications, more then a half of all known information leaks in restaurant and retail shop networks and other organizations that, for whatever reasons, cannot afford high-grade IT staff, are due to unfair partners from the outside or the companies offering information security audit services. Here is a specific example. In 2009, the owner of a large IT company in the USA engaged in information audit and outsourcing services was accused of theft of confidential data of more than 8 million people. All information was coming from large serviced companies, and the investigation revealed that the created database was intended for sale to competitors. Details of what data had been stolen, and the list of the aggrieved organizations were not published in the interests of the investigation, but it was known for sure that during the audit, information on the organizations network operation was carefully gathered for the purpose of further illegal use and theft. As illustrated by the examples, unfair companies among those who can render information audit services are not a rare exception. And though data leakage due to own company employees or insiders seems the most probable, it usually does not make sense to impose the company to additional risks for the sake of false safety feeling.
LAZgroup SA - Business and Technology Solutions www.lazgroup.com support@lazgroup.com +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerland Even when you do need penetration testing from the outside, you must first carefully examine reputation of the company to conduct the research. But the company's reputation is not enough. Find out as much as possible about the company management and technicians. Because even a perfect-reputation company that provides high-quality security audit services might employ persons who secretly help competitors with the main intention of accessing the protected information without testing interruption. Part of information being used internally by the company has a long lifespan, meaning that if such information becomes available to anyone else even after a few months, the company will still suffer essential losses. Thus, one must be very careful when attracting external human resources and pay attention not only to their skills, cost and quality, but also to potential consequences of granting them access to the company information assets. Another threat during penetration tests is the investigation of various attack scenarios. Employees of the auditor company can document only some of the vulnerabilities revealed in the information protection system, while the remaining vulnerabilities can still be used by hackers. Technical Risks Even when penetration tests bring good results, eliminating lots of vulnerabilities, they still do not guarantee that information will remain inaccessible in a few days, weeks, or months. The point is that new vulnerabilities arise every day, new types of attack are used, and even some old vulnerabilities can be utilized a-new with the course of time. No information security organization can possess the complete information on all vulnerabilities. That is why vulnerabilities that will be used tomorrow may strongly differ from the existing ones. By providing fast operation in data networks and using the Internet in daily activities, companies make their business more effective and flexible, on the one hand, but at the same time, increase the risks, because absolutely secure systems do not exist. Failures of network protocols and services, faults in network equipment operation may cause not only direct financial losses to the company, but also loss of reputation, the latter being a more serious harm for many large companies means as compared to financial losses. Information security becomes more and more important, since more and more services allow maintaining customer relations directly via the Internet. Usually, vulnerability means that the malicious user can make the application perform operations for which user has insufficient or no rights at all by issuing a corresponding command. And though there are detection tools for different types of vulnerabilities, they can never substitute a person's experience during information security research. In the attempts of security provision, management of many companies often makes severe errors that may result in further serious consequences for the company. Among them are:  The company's staff is excessively confident in reliability of the security technologies used.  Accurate technical information on the security level does not exist.  There is no clear information security policy.  IT department staff qualification is insufficient.
LAZgroup SA - Business and Technology Solutions www.lazgroup.com support@lazgroup.com +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerland  This article is intellectual Property of Dr. Kretov Kirill, the founder of LAZgroup SA  The personnel wrongly think that there is no important information for hackers in the company's information system.  The personnel wrongly think that company's web site/server cracking will not result in serious losses. Based on of last-year statistics gathered during analysis of almost 12 thousand of various programs and web applications, more than 97 thousand vulnerabilities has been found. They differ in their threat level, but more than a half of them are urgent and critical, the data from 13% of systems can be automatically compromised. In the course of detailed testing, the probability of revealing critical vulnerabilities reaches extreme rates – from 80% to 96%. Any company can suffer from cyber attacks regardless of its business. Of course, hackers are mainly interested in large organizations, but small companies usually suffer more severe damages from such illegal activities. Small companies, as well as mid-sized businesses, often suffer from harmful software and viruses, which are becoming harder to neutralize. Note that data security companies themselves are often the target for directed network attacks. Interesting statistics has been published by Ponemon Institute. The research, in which the information received from 45 large American companies had been used, showed how great are the losses of a company from attacks using the vulnerabilities in the information system. On the average, companies lose a little less than four million dollars per year due to such faulty conditions, and this figure ranges from one million for medium-scale companies to 52 million dollars. Struggle against network data leakages, attacks of companies' web sites and online services, and also harmful software distribution, constitutes the lion share of costs for information security maintenance. But nevertheless, the studied companies had been exposed to more than 50 successful attacks per week during which hackers could have plundered the data. As proved by the above impressive statistics, hackers do their criminal business with impunity. While competition in this field grows, prices for computer network cracking and information theft fall, but hackers' proficiency continues to increase. Among all hackers, no more than ten persons are exposed to criminal liability a year, and for some frauds with a mullions-strong turn the hackers are subject to conditional prison sentence. Experts think that such avalanche-like growth of criminality in information technologies is a considerable threat for any business. Conclusion In conclusion, we have to emphasize the fact that the situation in the field of information protection is rapidly changing, and a company must response to each change as promptly as possible. Any new vulnerability revealed, any weakness of an anti-penetration system may result not only in direct financial losses, but also in irrevocable loss of partner reputation, which is often much more important. Hackers' arsenal grows with new complicated software and hardware, and their proficiency has long ago advanced the proficiency of an average employee in an IT or information security department. A company can protect itself from possible threats only by constantly paying attention to network and other resources integrity and security. As for now,
LAZgroup SA - Business and Technology Solutions www.lazgroup.com support@lazgroup.com +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerland vulnerabilities have been found out in all operating systems. Once again, this is to prove that no absolute security can be guaranteed, and will not be guaranteed in the nearest future. But you can keep your risks at a minimum. For this purpose, prompt staff response in case of threat detection is crucial, as well as timely installation and update of anti-virus software and firewalls, installation of all critical and essential operating systems updates. Staff overall awareness on the recent known vulnerabilities, viruses and harmful software is also important. Many organizations resort to penetration tests as the last possible measure. But now, this measure is expensive and ineffective. During such test, only part of existing vulnerabilities will be discovered, meanwhile new methods for information security breaks appear almost every day. One must understand that even a large company providing computer audit services may be exposed to its own internal data leakage risks. Entrusting such company with detailed information about network structure, operations and protocols basically means taking and covering all risks of the company. So, penetration tests usually grant you false, illusory safety. Internal network audit methods are more effective than penetration testing. A company must use software for access restriction, user activity monitoring and data encryption, and also network activity logs must be monitored on a regular basis. This is a necessary condition for keeping the information loss risk at an acceptable minimum. Written in January 2010 by Dr.Kretov Kirill specially for LAZgroup SA

Recommandé

Mineria peruana
Mineria peruanaMineria peruana
Mineria peruanaStefanny Alanoca Gonzales
 
CV_LAMAH_03-2015
CV_LAMAH_03-2015CV_LAMAH_03-2015
CV_LAMAH_03-2015David Lamah
 
Les blogs médias - Avant/apres Tétu (Nouvelle formule 2011) - Jean-louis Roux...
Les blogs médias - Avant/apres Tétu (Nouvelle formule 2011) - Jean-louis Roux...Les blogs médias - Avant/apres Tétu (Nouvelle formule 2011) - Jean-louis Roux...
Les blogs médias - Avant/apres Tétu (Nouvelle formule 2011) - Jean-louis Roux...TÊTUNEWZY
 
Athletes and Steroids
Athletes and SteroidsAthletes and Steroids
Athletes and SteroidsBailey Dora
 
Bulimia y anorexia
Bulimia y anorexiaBulimia y anorexia
Bulimia y anorexiaAndrea Pantoja
 
Qué es salud.odt jhsjs
Qué es salud.odt jhsjsQué es salud.odt jhsjs
Qué es salud.odt jhsjslodilolui
 
Presentación1
Presentación1Presentación1
Presentación1raultuchinitobeio
 
Título
TítuloTítulo
TítuloJorge Eliecer Martinez Polo
 

Recommandé

Mineria peruana
Mineria peruanaMineria peruana
Mineria peruanaStefanny Alanoca Gonzales
 
CV_LAMAH_03-2015
CV_LAMAH_03-2015CV_LAMAH_03-2015
CV_LAMAH_03-2015David Lamah
 
Les blogs médias - Avant/apres Tétu (Nouvelle formule 2011) - Jean-louis Roux...
Les blogs médias - Avant/apres Tétu (Nouvelle formule 2011) - Jean-louis Roux...Les blogs médias - Avant/apres Tétu (Nouvelle formule 2011) - Jean-louis Roux...
Les blogs médias - Avant/apres Tétu (Nouvelle formule 2011) - Jean-louis Roux...TÊTUNEWZY
 
Athletes and Steroids
Athletes and SteroidsAthletes and Steroids
Athletes and SteroidsBailey Dora
 
Bulimia y anorexia
Bulimia y anorexiaBulimia y anorexia
Bulimia y anorexiaAndrea Pantoja
 
Qué es salud.odt jhsjs
Qué es salud.odt jhsjsQué es salud.odt jhsjs
Qué es salud.odt jhsjslodilolui
 
Presentación1
Presentación1Presentación1
Presentación1raultuchinitobeio
 
Título
TítuloTítulo
TítuloJorge Eliecer Martinez Polo
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfSarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Contenu connexe

Dernier

Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 

Dernier (20)

Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 

En vedette

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

En vedette (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

IT risks associated with outsource of Penetration Testing

  • 1. LAZgroup SA - Business and Technology Solutions www.lazgroup.com support@lazgroup.com +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerland IT risks associated with outsource of Penetration Testing (Ethical Hacking) Written by Dr.Kretov Kirill from LAZgroup SA Introduction Presently, the idea that information governs the world is not anything new. The swifter and quicker business develops its technological and information framework, the higher is the risk of malicious access to the information. Commercial, financial, managerial, HR and other information is of interest not only for the company where it is created and used, but also for its competitors, and for people who can take hold of it for the purpose of further unauthorized usage and resale. The need for data security is always growing. Data security is a state of data protection when their integrity, availability and confidentiality are ensured. Information integrity means that the information does not change when it is stored or transmitted; availability means that authorized persons can use the information and access it at any time; confidentiality means unavailability of information for those who are not authorized for sufficient and lawful access to it. Information audit can be used to ensure data security. Generally, audit is performed to estimate the current level of data security, to assess possible risks during information storage and use in the company, and also to determine high-priority measures that will minimize the risks and information leakage threat. During audit, we reveal the security level provided in the automated system, and collected statistics helps determine further steps to reach complete information security in the company. Security audit types include penetration tests (or "pentests") aimed at determination of various vulnerability search methods and ways for intrusion into company' information systems from the outside, for example, via the Internet. Penetration tests are mainly performed to estimate the overall company level of protection from external threats and directed attacks, and also to document the actions and to create a report on them. In most cases, the testing procedure consists of three steps, and each of the steps includes a number of quite specific jobs. The first step covers operations planning and preparation. The second step includes penetration into the automated system itself, and the third step is report creation and, possibly, recommendations to improve data security. More often, a company admits penetration testing when it needs to evaluate possible damage from malicious activities, to estimate the security level of specific company information assets, to determine the most vulnerable places in the information security system or to assess the measures taken by the company staff members in case of penetration attempts. However, one must not think that the testing procedure guaranties complete security for the company. Sometimes this is not true, as long as any penetration attempt may cause unexpected and crucial results for the audited company. This article is intellectual property lazgroup.com. There are two major groups of risks we should always keep in mind.
  • 2. LAZgroup SA - Business and Technology Solutions www.lazgroup.com support@lazgroup.com +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerland Risks due to the Testing Company The first group of risks is caused directly by the company that performs the security audit in the customer company. In other words, a company wishing to have reliable data security checks whether the information is accessible from the outside by intentionally making it accessible, because a lot of vulnerabilities are usually revealed during pentests and testers access the protected data. Is it actually so bad? If the customer wishes to have penetration tests performed, the Customer signs a non-disclosure agreement with the testing company. Despite that the most of companies think this is enough, each penetration test brings additional risks. We should keep in mind that each auditor group consists of persons, and the human factor cannot be ignored. First of all, it is the human factor that makes different penetration testing companies perform pentests differently. Thus, vulnerabilities that can be revealed by one group will remain unknown for another group, and vice versa. That is why, logically, you cannot completely rely on the results of penetration tests to ensure information security. Real penetration threat exists anyway, as long as different groups and different hackers can apply various methods to the revealed vulnerabilities. In other words, such testing will not fully guarantee security in the customer company. Even when the testing is finished and vulnerabilities have been found in the customer automated system, the testing company can simply save the obtained information on the software, network structure, etc. or conceal some vulnerabilities from the customer. Also, the tested company will now be open to all risks of the auditing company. The point is that it is too hard to maintain security within the company. And the risk that employees of the testing company – for example, after they're fired – will use the information to their own benefit or to the benefit of competitors. This is not a rare situation, and the statistics for such cases, unfortunately, do grow. Often, client information leaks from companies that trust too much to their IT service providers (the latter can be outsourcing companies, processing centers, security audit companies). According to the American telecommunication company Verizon Communications, more then a half of all known information leaks in restaurant and retail shop networks and other organizations that, for whatever reasons, cannot afford high-grade IT staff, are due to unfair partners from the outside or the companies offering information security audit services. Here is a specific example. In 2009, the owner of a large IT company in the USA engaged in information audit and outsourcing services was accused of theft of confidential data of more than 8 million people. All information was coming from large serviced companies, and the investigation revealed that the created database was intended for sale to competitors. Details of what data had been stolen, and the list of the aggrieved organizations were not published in the interests of the investigation, but it was known for sure that during the audit, information on the organizations network operation was carefully gathered for the purpose of further illegal use and theft. As illustrated by the examples, unfair companies among those who can render information audit services are not a rare exception. And though data leakage due to own company employees or insiders seems the most probable, it usually does not make sense to impose the company to additional risks for the sake of false safety feeling.
  • 3. LAZgroup SA - Business and Technology Solutions www.lazgroup.com support@lazgroup.com +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerland Even when you do need penetration testing from the outside, you must first carefully examine reputation of the company to conduct the research. But the company's reputation is not enough. Find out as much as possible about the company management and technicians. Because even a perfect-reputation company that provides high-quality security audit services might employ persons who secretly help competitors with the main intention of accessing the protected information without testing interruption. Part of information being used internally by the company has a long lifespan, meaning that if such information becomes available to anyone else even after a few months, the company will still suffer essential losses. Thus, one must be very careful when attracting external human resources and pay attention not only to their skills, cost and quality, but also to potential consequences of granting them access to the company information assets. Another threat during penetration tests is the investigation of various attack scenarios. Employees of the auditor company can document only some of the vulnerabilities revealed in the information protection system, while the remaining vulnerabilities can still be used by hackers. Technical Risks Even when penetration tests bring good results, eliminating lots of vulnerabilities, they still do not guarantee that information will remain inaccessible in a few days, weeks, or months. The point is that new vulnerabilities arise every day, new types of attack are used, and even some old vulnerabilities can be utilized a-new with the course of time. No information security organization can possess the complete information on all vulnerabilities. That is why vulnerabilities that will be used tomorrow may strongly differ from the existing ones. By providing fast operation in data networks and using the Internet in daily activities, companies make their business more effective and flexible, on the one hand, but at the same time, increase the risks, because absolutely secure systems do not exist. Failures of network protocols and services, faults in network equipment operation may cause not only direct financial losses to the company, but also loss of reputation, the latter being a more serious harm for many large companies means as compared to financial losses. Information security becomes more and more important, since more and more services allow maintaining customer relations directly via the Internet. Usually, vulnerability means that the malicious user can make the application perform operations for which user has insufficient or no rights at all by issuing a corresponding command. And though there are detection tools for different types of vulnerabilities, they can never substitute a person's experience during information security research. In the attempts of security provision, management of many companies often makes severe errors that may result in further serious consequences for the company. Among them are:  The company's staff is excessively confident in reliability of the security technologies used.  Accurate technical information on the security level does not exist.  There is no clear information security policy.  IT department staff qualification is insufficient.
  • 4. LAZgroup SA - Business and Technology Solutions www.lazgroup.com support@lazgroup.com +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerland  This article is intellectual Property of Dr. Kretov Kirill, the founder of LAZgroup SA  The personnel wrongly think that there is no important information for hackers in the company's information system.  The personnel wrongly think that company's web site/server cracking will not result in serious losses. Based on of last-year statistics gathered during analysis of almost 12 thousand of various programs and web applications, more than 97 thousand vulnerabilities has been found. They differ in their threat level, but more than a half of them are urgent and critical, the data from 13% of systems can be automatically compromised. In the course of detailed testing, the probability of revealing critical vulnerabilities reaches extreme rates – from 80% to 96%. Any company can suffer from cyber attacks regardless of its business. Of course, hackers are mainly interested in large organizations, but small companies usually suffer more severe damages from such illegal activities. Small companies, as well as mid-sized businesses, often suffer from harmful software and viruses, which are becoming harder to neutralize. Note that data security companies themselves are often the target for directed network attacks. Interesting statistics has been published by Ponemon Institute. The research, in which the information received from 45 large American companies had been used, showed how great are the losses of a company from attacks using the vulnerabilities in the information system. On the average, companies lose a little less than four million dollars per year due to such faulty conditions, and this figure ranges from one million for medium-scale companies to 52 million dollars. Struggle against network data leakages, attacks of companies' web sites and online services, and also harmful software distribution, constitutes the lion share of costs for information security maintenance. But nevertheless, the studied companies had been exposed to more than 50 successful attacks per week during which hackers could have plundered the data. As proved by the above impressive statistics, hackers do their criminal business with impunity. While competition in this field grows, prices for computer network cracking and information theft fall, but hackers' proficiency continues to increase. Among all hackers, no more than ten persons are exposed to criminal liability a year, and for some frauds with a mullions-strong turn the hackers are subject to conditional prison sentence. Experts think that such avalanche-like growth of criminality in information technologies is a considerable threat for any business. Conclusion In conclusion, we have to emphasize the fact that the situation in the field of information protection is rapidly changing, and a company must response to each change as promptly as possible. Any new vulnerability revealed, any weakness of an anti-penetration system may result not only in direct financial losses, but also in irrevocable loss of partner reputation, which is often much more important. Hackers' arsenal grows with new complicated software and hardware, and their proficiency has long ago advanced the proficiency of an average employee in an IT or information security department. A company can protect itself from possible threats only by constantly paying attention to network and other resources integrity and security. As for now,
  • 5. LAZgroup SA - Business and Technology Solutions www.lazgroup.com support@lazgroup.com +41794822839 Rue du Cendrier 15, 1211 Geneva, Switzerland vulnerabilities have been found out in all operating systems. Once again, this is to prove that no absolute security can be guaranteed, and will not be guaranteed in the nearest future. But you can keep your risks at a minimum. For this purpose, prompt staff response in case of threat detection is crucial, as well as timely installation and update of anti-virus software and firewalls, installation of all critical and essential operating systems updates. Staff overall awareness on the recent known vulnerabilities, viruses and harmful software is also important. Many organizations resort to penetration tests as the last possible measure. But now, this measure is expensive and ineffective. During such test, only part of existing vulnerabilities will be discovered, meanwhile new methods for information security breaks appear almost every day. One must understand that even a large company providing computer audit services may be exposed to its own internal data leakage risks. Entrusting such company with detailed information about network structure, operations and protocols basically means taking and covering all risks of the company. So, penetration tests usually grant you false, illusory safety. Internal network audit methods are more effective than penetration testing. A company must use software for access restriction, user activity monitoring and data encryption, and also network activity logs must be monitored on a regular basis. This is a necessary condition for keeping the information loss risk at an acceptable minimum. Written in January 2010 by Dr.Kretov Kirill specially for LAZgroup SA