Vulnerability Assessments vs Penetration Testing

Vulnerability scanning and penetration testing are important tools to secure and protect your IT infrastructure. Often, they get confused with each other but both play very different roles in overall network security.

So, what’s the difference and which should your business be using?

 

Vulnerability Assessments

Vulnerability assessments are automated reports that search for known vulnerabilities within software, such as missing patches and outdated configuration, protocols, certificates and services. The output of this report would show any known vulnerability that exist within the network. Reports can be lengthy as the assessments take quite a comprehensive look at the network and applications.

The assessments can be ran on any number of devices throughout a network and is wide in scope. The results can then be used to remove potential risks before they could be exploited.

It is recommended to perform scans quarterly and every new device once configured, or if a major configuration change has taken place.

 

Penetration Tests

In comparison, penetration testing actively exploits weaknesses within the environment. An experienced person would carry out the testing, acting as an attacker by exploiting weaknesses within the network or applications otherwise known as ‘ethical hacking’. As a tester is needed, this testing cannot be automated.

The main aim of penetration testing is to identify insecure and weak security settings and configuration that a business outsider would be able to use to access the data held behind the defences such as un-encrypted passwords. The tester would probe an open port and see how far it can be exploited. Large networks can take anywhere from days to weeks to complete a full test. It is therefore best practice to have the testing performed by a fully qualified 3rd party; this also ensures a fully unbiased, objective report being developed.

Penetration testing doesn’t need to be performed as regularly as vulnerability assessments, instead only once a year or if internet facing equipment has a large change made.

 

What Should My Business Use?

In summary, a vulnerability assessment is used to detect when an unlocked door could let a burglar enter your business. A penetration test would role play as the burglar and see how far he’s able to get before a locked door stops him in his tracks.

Both tools should be used in conjunction and work together to provide the best outcome. Vulnerability assessments are designed to act as a detective tool; penetration testing is built to be a preventative measure.

Penetration testing is a lot more costly compared to vulnerability by itself, but this is due to the in-depth nature of the scanning as the tester may discover a new vulnerability or a security flaw that is not very well known.

 

IT’s important to know the difference between each test as each are important in their own way. To find out if Netshield can be of assistance, please contact us here

Advertisements

The Rise of Email Compromise

THE TERM PHISHING is certainly becoming more prevalent in today’s cyber-security obsessed world. Cyber criminals pose as a CEO, finance director or other senior members of staff in a company and send fraudulent emails containing details of payments ‘that must be made immediately’ with bank details attached. The catch is usually the address that the email has been sent from; it will resemble very closely the email of the senior management figure, with this spoofing often duping unsuspecting employees into making the payments or disclosing financial/personal information as requested.

According to the Verizon Data Breach Investigations Report, phishing tactics were used in more than 90% of all security incidents and breaches in 2017. So why has there been such a rise in business email being targeted?

 

How does it work?

Phishing emails are very simple; target multiple users or one individual, in a company, convince them that the sender is a high ranking senior management member, extract sensitive information. The email will usually be labelled with high importance, eliciting a sense of urgency in the user (who wants to upset their CEO by delaying a task in an urgent email?) who then provides login credentials, credit card details or actually make the requested payment.

Some will contain a malicious attachment, so if users don’t fall for the money transfer requests they may still infect their PC and later the network with malware.

Links to sign-in forms (such as the Gmail scam that occurred at the start of 2017, affecting over 1 billion users) can also be included. The URL’s resemble the official one, so a glance at the address bar won’t raise any alarm bells unless you look closely, so even the most tech-savvy users can fall victim. Once credentials have been entered the attackers have full access to that account. This could obviously be disastrous if business banking credentials have been entered.

 

Believing your business is safe from an attack as ‘it hasn’t happened to us yet’ is not the way to be thinking anymore. So what can be done? 

  1. Improving User Awareness 

Training employees on how to spot phishing attempts, what to do if they are in receipt of one and how to defend against attacks.

According to the Verizon Data Breach Investigations Report:

30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link.

It’s also important to encourage employees to report possible incidents or breaches as soon as they are discovered.  Clear and readable security policies should be implemented and distributed to all users regularly so employees are aware of their roles and responsibilities during such an incident.

Ongoing security awareness training should be considered for all IT team members on a regular basis to keep their knowledge of evolving scams up to date.

2. Management Involvement 

Assigning key responsibilities for cyber security at management level ensures all employees are aware that is is being taken seriously, and provides a great example for them to follow. Of course everyone within a company has a part to play in keeping the infrastructure secure, but it does need to start at senior management level to show the importance.

A tech-savvy staff member should be allowed time to keep informed about the latest phishing techniques, preferably a senior member of the IT team. By being aware of latest scams as early as possible, the management board can be informed and discuss the best way to prevent the business being affected.

3. Build your Battle Plan

Ensuring your IT infrastructure is as robust as possible must be a priority at all times. Although very important, gone are the days we could just rely on heavy duty firewalls to prevent malicious traffic reaching its target.

  • Two factor authentication can be used over a variety of applications and software, either built in or as an ‘add on’. With most people only having one layer of security (their password) to protect accounts, two-factor authentication adds a security code that must be entered on top of this. This can be directed towards your mobile or a security key. With 2FA enabled, should the bad guys gain control of passwords they still won’t be able to access what is behind without the users phone or security key.
  • Updates are released in response to loopholes that phishers can take advantage of. Ensuring all IT systems are up to date is often forgotten about. We’ve previously posted about how patching can help prevent major security vulnerabilities (read more here), this also reaches out to anti-virus and anti-malware. Should the worst happen, this is your first line of defense. Browsers should also be updated as soon as one is available. A good patch management schedule will ensure this is carried out regularly.
  • A quick check to verify site security of a site is not time consuming but does help give you peace of mind. Make sure the URL begins with ‘https’, and that a small, closed padlock icon is visible near the address bar.
  • Anti-virus should be installed across all devices, including remotely used ones. New security definitions are added all the time, which makes ensuring the software is up to date even more important. AV helps prevent damage to systems by scanning every file coming through the internet to your PC.
  • Scrutinize an email address or URL if you’re a little bit unsure. Sender of an email joe.bloggs@exampl3.com rather than the usual @example.com? Don’t trust it. It doesn’t hurt to reach out and double check with who you believe the email is from separately to check.

 

Unfortunately there is no fool-proof way to prevent attacks occurring; promoting a company culture of staying vigilant and being on guard is one of the best defenses you can have.

 

For information about how Netshield can assist with your anti-phishing policies and defenses, please feel free to contact us here.

 

 

10 Reasons Why Cloud is Good for Business

In today’s world, everyone is captivated with their laptops, tablets and mobile devices, we are so captivated on average individuals have access to 3 different devices. We have the ability to be always connected and access the information we want and need within a few clicks, which leads to the idea of Cloud Computing revolutionising the workplace.

What is Cloud Computing?

It is the delivery of computing as a service comparatively than a product. Your business information, software and information is transferred to computers and other devices as a service over a network. A Cloud services has 3 main attributes that makes it slightly different from traditional hosted services;

  • It is sold on demand
  • It is elastic and scalable
  • It is fully managed

Why would Cloud Benefit your Business?

  1. Automatic software updates– The Cloud Service Provider (CSP) carries out the maintenance for all the software, which includes security updates, helping you free time for other tasks in your business.
  2. Flexibility – Any Cloud based service can immediately meet any frequency low or high so, it can adapt to your business as it grows.
  3. Controlling Costs– Save money by having a scalable solution for a monthly fee and if you choose to use a CSP your business will require less networking hardware on site.
  4. New Business Ventures – Due to the flexibility and the speed of deployment of cloud resources businesses are able to try new ideas without extreme investments in systems quickly and efficiently.
  5. Stability– A lot of businesses suffer from downtime due to crisis management, hardware upgrades or other problems, CSP continuously monitors and maintain the systems which provides dependable uptime.
  6. Work from anywhere– With an internet connection employees in your business can work anytime, anywhere which can help increase the workers’ productivity and job satisfaction.
  7. Build, expand and use new operations– Cloud computing enables you to build quickly, deploy and manage applications which can be built in any framework, tools and languages. So, setting up remote offices will be easy as 1, 2, 3!
  8. Security– By using Cloud everything is stored in a central location, so your business data can still be accessed no matter what happens to the device.
  9. Environmentally friendly– It helps decrease the carbon footprint of your business as you’re only using the resources you require.
  10. Competitiveness– The cloud grants SME’s access to business class technology at a set monthly cost. It can allow smaller companies to act faster than substantial well-established opponents with complex networks.

Cloud for business is advantageous, although the requirement of an internet connection is a disadvantage, with our addiction to mobile devices and access to information – the internet has become a common commodity. Find out what the cloud can do for your business by contacting us today 0845 603 5552.

The Different Types of IT Network Virtualization

IT network virtualization has been around for many years and gaining in popularity amongst SMB’s,  with many currently planning or deploying virtualization projects. It has also been found that over 40% of medium sized businesses have already virtualized their servers.

Within the virtualization market there are 2 main competing brands VMware and Microsoft Hyper-V, where both have their benefits. But, prior to choosing the software vendor a business must decide on what type of virtualization to proceed with and the objectives of the IT project.

There are 3 main types of IT Network Virtualization:

Storage Virtualization

Storage devices on the network like hard drives are consolidated into one place and managed by a central portal. This will allow network administrators to monitor resource levels available on the IT network and making it easier to manage day to day.

Network Virtualization

This is where a traditional IT network is transformed to a virtual network by combining both hardware and software resources within the IT infrastructure. The network administrator would then be able to share resources amongst the users, like dividing bandwidth into different channels. They will also be able to see the complete network in a management portal, which would help streamline processes and save time.

Server Virtualization

One of the most popular forms of virtualization – this is when virtual machines are created within physical servers but, the virtual machines will still appear to be in a separate space. Different tasks can then be assigned to different servers, allowing savings on processing power, cost and space while the administrator will still be able to diagnose and resolve issues quickly.

To find out how virtualization can help your business contact us today

Business of Cybercrime: Part 2 – ‘The Business IT Landscape’

In recent years we have seen the benefits of the development of new technologies within the workplace; the developments have introduced terms such as ‘Bring Your Own Device’, ‘Cloud Computing’ and the ‘Mobile Workforce’ causing the changes in the business IT environment. With such changes with technology and the way individuals are working, cybercrime is evolving too…

Common problems with IT security today:

  • Threats are constantly changing and increasing
  • Data is everywhere and continuously growing
  • Users are becoming more mobile, using many different devices

With these changes in the business IT environment, the mobility of end users and the IT security issues involved, it is not surprising that many IT departments are not embracing the trend of BYOD or encouraging the company to move towards a more mobile workforce and considering it as a ‘foe’. But there are some companies that see the benefits of these changes as discussed in ‘Bring Your Own Device (BYOD) – Friend or Foe to Businesses?’ blog post.

It can be said often the concern is not necessary due to the types of Data Security threats such as Spam, Viruses or Malware because the underlying threat remain the same but, it evolves and changes its form – It is the fact that BYOD could lead to the IT infrastructure prone to more vulnerabilities, allowing more avenues for hackers to infiltrate the network.

What are your views on today’s IT landscape?