Strong cyber resistance means your business will be more likely to successfully anticipate, withstand, protect its systems and networks from cybercrime, and quickly and effectively resume business operations in the event of an attack.
The Insight will explain the different types of cybersecurity resistance testing that your business could undertake, and best practices to adopt.
What is Cybersecurity Testing?
Cybersecurity testing is the process of identifying security vulnerabilities in a system or network and determining actions needed to fix them. With the increasing risk and prevalence of data breaches for Australian businesses, it is important to regularly conduct cybersecurity testing to prepare your business on how to prevent and respond to cyberattacks.
IT professionals should assist organisations to select the most relevant types of cybersecurity testing and determine the testing program. They should also oversee all cybersecurity training to ensure it is run efficiently and productively. Your C-suite should be across the testing and your boards informed of the outcomes.
Types of Cybersecurity Resistance Testing
Cybersecurity audits seek to identify any potential vulnerabilities by an in-depth review of an organisation’s digital infrastructure and security measures including assessing relevant regulatory compliance. For example, Privacy Act 1988 (Cth) obligations on data retention and destruction. ISO 27001 certification incorporates a cybersecurity audit.
A cybersecurity audit will usually begin with reviewing a business’ data security policies and considering how successfully these policies are at maintaining the confidentiality, availability, and integrity of its data. It may involve developing visual aids to contextualise network and system processes and interdependencies, and understanding how data flows throughout an organisation.
The audit will identify the threats and associated mitigation options to prevent IT security risks and vulnerabilities from being exploited and to ensure regulatory compliance.
Audits should be undertaken annually or whenever an organisation alters its network configuration, introduces new software, expands, or implements any significant changes to their technology ecosystem.
Penetration testing or pen tests are a form of ethical hacking where IT professionals intentionally launch a cyberattack on a network or system to exploit applications and identify areas of weakness. The goals of this testing are to calibrate firewall rules, close unused ports, and eliminate any loopholes. If conducted on a website, the goals are to identify and report notable vulnerabilities, such as cross-site scripting and buffer overflow.
Several tests conducted as part of this testing include:
- Internal Tests: performed by internal company users and simulate events where a hacker penetrates the company’s system to access personal information.
- External Tests: external IT professionals engaged to perform tests by hacking their network perimeter using an external source.
- Blind Tests: simulating the actions of a real hacker. Little to no information is given to external IT professionals who attempt to access business infrastructure. By using publicly available information, they can reveal how much of the firm’s data is or can be made available to the public.
- Double-blind Tests: this situation is where almost no one in the firm is aware of the pen test when it is happening, including the internal IT and security teams who respond to the attack. Double-blind studies are particularly useful for preventing bias due to demand characteristics or the placebo effect.
- Targeted Tests: targeted tests require complete transparency. IT teams are asked to target particular concerns in the network. These take minimal time to action, however, don’t always reveal the full extent of the problem.
A posture assessment tests the strength of an organisation’s cyber threat prevention capabilities, protocols and controls. It is a useful first step in the cybersecurity testing process as it can guide your approach to security. Unlike audits or pen tests, posture assessments provide definite guidance for improving cybersecurity maturity as they explicitly map out the potential flaws and generate solutions to these faults.
The following process is a common posture assessment framework:
- identify and address the value of company data;
- define threat exposure and risks;
- evaluate if appropriate security methods are in place through identifying the value of the data being collected and stored; and,
- recommend a concrete plan for strengthening defences.
Most commonly, businesses will outsource this task to third party experts to conduct the posture assessment as it will remove any company bias or previous knowledge about the firm’s operations.
A vulnerability scan involves testing to identify security weaknesses in the company’s infrastructure with the goal of preventing breaches. While pen testing involves simulated hacking to locate the causes of gaps in the system, vulnerability scanning is an automated test that simply identifies the gaps themselves and how they can be exploited.
A 2020 study conducted by the United States Cybersecurity and Infrastructure Security Agency (CISA) found that a business’ most common vulnerability was remote code execution. Remote code execution is where an attacker accesses a target computing device and makes changes remotely. Other common vulnerabilities include:
- Arbitrary code execution – attacker can run commands or code on a vulnerable device;
- Arbitrary file reading – attacker can read or write any content in a file system; and
- Path traversal – vulnerability that gives attackers access to unauthorised files.
It is important to note that as this study is by a US-based agency(and is 3 years old), these vulnerabilities may not specifically mirror the most common vulnerabilities found in Australian-based organisations. However, it does provide a useful snapshot of potential vulnerabilities your business should look out for.
A security scan, sometimes referred to as configuration scan, searches for misconfiguration in a network, including any incorrect or suboptimal design of a system that can cause vulnerabilities.
Misconfigurations pose a cybersecurity threat as they are easy for attackers to detect. Some examples of misconfigurations include, unencrypted files, unpatched systems, outdated web apps, and insufficient firewalls.
Risk assessments involve analysing security controls to identify the possible threats against each company device or network. The 4 key steps to a risk assessment include:
- recognise all essential components within your organisation’s technology infrastructure, pinpoint all the sensitive data linked to each, and create a risk profile for each;
- evaluate risk levels and determine the number of resources needed to mitigate the risk;
- create a plan for risk mitigation and enforce security controls for the identified risks; and,
- enforce ongoing mitigation by implementing tools and processes to minimise threats.
Risk assessments should be conducted at least once a year and following any change an organisation makes to its technology infrastructure. These can be conducted internally or outsourced to third parties.
Your business should regularly undertake cybersecurity testing to identify any risks of your data being compromised or leaked. Testing is a whole of organisation activity where executives and board members are also involved and informed.
For assistance in reviewing these practices and advice on your legal obligations, contact Sainty Law at firstname.lastname@example.org.