Cyber Security – Penetration Testing

Reading Time: 2 minutes

3 December 2018 

When you think of Hackers, what image comes to mind?  If we were to take one guess it would be of a hooded teenager sat in his dark bedroom with the only light coming from his 3 monitor screens.  But do you know this is far from the actual truth?

Hackers today are sophisticated groups of people, dressed up as companies, based in very normal, professional looking offices.

In this week’s blog, we’re going to look at 2 different types of Penetration testing, black box testing and white box testing.

What is Penetration testing?

Penetration testing, which is also known as a pen test, is when you carry out an authorised attack on your systems to assess their security.  There are different ways to test and they are used to find vulnerabilities as well as strengths in your systems.  If vulnerabilities are found this indicates that there is potential for hackers to gain access to your systems.

2 ways to test are black box testing and white box testing.

What is black box testing?

Black box testing is a method of software testing that examines the workings of an application or website without any knowledge besides very basic information on the company.

What is white box testing?

White box testing is like black box testing, but instead of only knowing basic information, the tester is provided background and system information.

The point of these tests is to assess how vulnerable your systems are to attack and to ensure that any outcomes have countermeasures put in place to reduce any danger.

When a hacker first decides to attack, they will carry out research; by this, we mean that they will look for weaknesses that they can exploit.  The next stage is to carry out the attack, this can either be a one-off attack or a consistent one depending on how quickly they can obtain the information that they are after.  There are many ways in which hackers will attack, it could be your firewall, your website or even your web servers.  Once they’ve gained access to any of these, they then have the opportunity to gain access to your database and file servers, this is where your confidential client data is held and getting into the wrong hands will be detrimental to your company.

Do you have software through a provider, are you aware of the testing that they complete and how often they complete it?

Or do you own the software?  How often are you testing?  If you don’t – why not?  You’re running the very high risk of an attack, and how would you explain that to your clients?

Last week, Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists at the FCA delivered a speech on Cyber and technology resilience in UK financial services.  In which she stated:

• Only 56% of firms say they can measure the effectiveness of their information asset controls
• Nearly half of firms that completed an FCA survey do not upgrade or retire old IT systems in time.
• Firms have reported significantly more outages and cyber-attacks over the last year.

Do you fall into one or more of these bullet points?  If so, do you plan to act on resolving them?  It has never been more important to have measures in place to prevent attacks.

Whilst we are not cybersecurity experts, we have worked alongside many, so if you do find yourself in need of any advice, please get in touch and we’ll point you in the right direction.