How to Perform Your Own IT Health Check
Cybercrime, by nature, never stops evolving. Technology creates new attack surfaces and points to exploit with every iteration.
The cybersecurity industry and hackers are in a perpetual lockstep. When experts answered password theft with multi-factor authentication, hackers responded with elaborate scam messages and stealing session cookies.
To stay ahead of such a threat, vigilance will not be enough. Businesses adopting a reactive approach may find themselves blindsided when attackers change tactics. To ensure your perimeter is secure against the latest threats, you’ll need to think like a hacker yourself.
What Is An IT Health Check?
An IT health check (ITHC) is otherwise known in the cybersecurity industry as a penetration test–a pen test for short. It’s a simulated exercise that tests your security by attempting to breach it with the tools and strategies that attackers might use.
These checks are more than an additional step in a company’s cybersecurity protocol. In the UK, businesses are legally required under Article 32 of the General Data Protection Regulation (GDPR) to regularly stress test their systems. A penetration test is one of the recognised ways businesses can meet the requirement.
The Scope Of An ITHC
Cybercriminals are incredibly precise in how they weasel into a network. They plan extensively; some run reconnaissance through malware for months before deciding to ransom or steal data. If your organisation is specifically being targeted, they’ll do the work to pinpoint which employee has privileged access–and how to trick that employee into handing over their credentials.
Properly scoping your ITHC allows you to be as thorough and extensive. It gives the process direction, allowing you to keep costs from sprawling and minimising disruption. Ideally, your testing scope document should identify and include the following:
There are different types of ITHC tests, each assessing different vulnerabilities. Internal tests simulate an attack coming from the inside. For instance, when an intruder gains access to an employee’s account through phishing. External tests target anything that connects to the Internet, such as applications or email servers.
Some tests narrow the scope even further. Mobile application testing looks at vulnerabilities that can arise from the mobile environment, such as unsecured data storage and misconfigured security settings on phones used to access your network. Web application testing looks at your browser-based applications and sifts through the code for gaps that can be exploited.
Threats & Known Weaknesses
Identifying where your high risk areas are–databases that contain customer information, third-party integrations, remote workers–will help you choose the right type of audit for your needs.
It will also help you narrow down your focus and minimise spend. Budgets for penetration testing are limited, so you’ll need to pick a focus. If you have an in-house AWS specialist, then you may want to leave your cloud-based apps to them and divert your focus to where your competency is weaker. For instance, your email exchanges or browser-based applications.
Risk Owners And Participants
In cybersecurity, the weakest link is usually people. Attacks that target individuals have gone up in recent years. In fact, 95 percent of breaches are due to human error, up by 40 percent from 2015. Identifying risk owners–employees who operate within the networks being tested–is vital for ensuring health checks can correctly assess the greatest weaknesses in your system.
Estimated Time Frame
The longer a health check runs, the costlier it can get, in both third-party fees and disruptions to business. Having a set duration for the test will allow your testing team to tailor several aspects of the review to the limitations of your budget and schedule, including the depth of testing and methodology.
The Testing Team’s Needs
To ensure tests run as seamlessly as possible, you’ll have to give your testing team all the materials they’ll need.
There are three main testing setups: black-box, white-box, and grey-box. Your chosen technique will determine what the team will need you to provide.
Black-box testing puts testers in the role of your average hacker. They receive no information about your networks, no access to internal systems–nothing that isn’t publicly available. Black-box tests come the closest to simulating real world attacks from uninformed intruders.
In contrast, white-box testers are given full access to all the inner workings of an application, from log-in credentials to the source code. Teams running white-box tests typically design test cases from scratch, tailored to the software in question. Businesses running white-box tests will need to ensure the testers have access to all the tools and permissions they’ll need.
Grey-box testers are given partial access to the system. They’re not given free rein over the application, but are given access to documentation describing its structures. This simulates attacks from intruders who know how the application works and how to exploit it.
How Often Should I Test?
The frequency of testing will vary by sector. For organisations in high risk industries like banking or government, health checks can be a quarterly requirement under cybersecurity policies. For your average business, once a year can suffice.
But you don’t have to wait until an ITHC to work on your defences. There are plenty of measures you can implement without the need for a formal report from testers. For instance, enabling 2FA or implementing access control policies.
Can I Conduct My Own ITHC?
IT health checks are typically conducted by external partners, even in larger companies. This is ideal for two reasons. One, because pen testing is a technical process. It’s easy to go over the budget if you’re not well versed in testing. Secondly, hiring a third-party allows the application to be tested from an outsider’s perspective–the same one attackers will be using against you.
Don’t wait for the latest cybercrime tactics to catch you unaware. Keep your applications and networks prepared for attacks as they come with regular IT health checks. Better yet, work with a partner who can adjust parameters to your needs. Book a free consultation to get started.