As your organization is working to secure your infrastructure, one component that can fall through the cracks is your company’s website.
While it might not be top of mind, there are impacts of not having a secure website. A website that is not secured:
- Allows for the possibility of multiple vulnerabilities and misconfigurations to exist, which can be the entry point hackers need to infiltrate your IT systems. These attacks can cause a loss of customer trust and a diminished brand reputation.
- Lowers the ability of clients and prospects to find your website as when delivering search results Google and other search engines prioritize sites that are secure. This translates to lost business opportunities.
- Delivers a poor brand impression with the display of a warning in search engine results. This notification alerts site potential site visitors that the website they are considering opening is not secure.
- Hinders your ability to partner and do business with government entities. When working with the government in any capacity, it’s even more important to have secure systems, including your website.
How do you determine if you have a secure website – and what does that mean?
The easiest way to know if your site is secure is to look at the URL of your website. If it begins with “https” instead of “http” it means the site is secured using an SSL (Secure Sockets Layer) Certificate.
SSL is a networking protocol designed for securing connections between web clients and web servers over an insecure network, such as the internet. As the standard security technology, it ensures that all data passed between the web server and browser remain private.
How else can you secure your website?
- Produce more secure code – and make certain that your web applications minimize these risks. For your developers, that means following the Open Web Application Security Project (OWASP) guidelines. The OWASP Top 10 outlines the most critical security risks to web applications and, consequently, to your website. Being proactive and protecting your organization against these threats, is effective in changing the software development culture within your organization. Learn more
- Conduct penetration testing of your website. Pen testing can be used to test the vulnerabilities of your website. In this case, a pen test would be performed by attempting to exploit your organization’s website to determine if its protective controls can be bypassed. As threats to your IT infrastructure and your website are constantly evolving. pen testing can help your organization gain a fresh perspective with a third party looking at your security from the viewpoint of an attacker. Learn more
Take steps to secure your website now and reap the benefits including:
- Protecting the privacy of web visitors
- Improving user experience
- Elevating search engine presence
- Safeguarding your brand reputation
As you work to secure your web applications, give us a call. As penetration testing experts we can help identify flaws and misconfigurations within your internal and external infrastructure as well as other valuable assets.
In today’s security landscape, threats to your IT infrastructure are constantly evolving. As you work to secure your IT systems and processes, penetration testing (pen testing) is an important component of your plan. Pen testing can help your organization gain a fresh perspective with a third party looking at your security from the viewpoint of an attacker.
What is a penetration test?
A pen test is performed by attempting to exploit any of your organization’s identified vulnerabilities or configuration flaws to determine if the protective controls of a given system can be bypassed. Penetration tests can have multiple goal-based scenarios, including PII hunting, database breaches, domain control, and more.
Following the initial compromise of a host or credential set, analysts performing the pen test continue the attack lifecycle by pivoting to other hosts in the network, and then work to show how a compromised host can impact your business.
Why should you run penetration tests?
Pen testing examines the subsystems, components, and security mechanisms comprising your organization’s infrastructure and identifies weaknesses. Penetration tests can help you:
- Validate the effectiveness of your environment
- Meet contractual requirements
- Satisfy compliance objectives (PCI)
- Test your system from multiple adversary roles including potential employees, external adversaries, and more
- Adopt an agile methodology and regularly examine your systems
How do you conduct pen testing?
- Use commercial tools, public domain utilities, and proprietary tools to examine the security posture of a system or application and apply numerous industry frameworks like OWASP.
- Conduct tests from both the vantage point of an unauthorized and authorized user. Working from both of these perspectives drives a more complete understanding of the threats to your organization’s security.
- Go beyond automated tools and use manual testing methodology. Manual testing involves verifying vulnerabilities identified by the automated scanners so that any false positives can be eliminated. It also shows the business impact of a reported vulnerability. Automated scanners lack the ability to detect business logic flaws in the application. A combination of automated and manual testing provides a more thorough analysis.
- Leverage the expertise of licensed, third party analysts holding the appropriate certifications to provide an outside view of those looking to infiltrate your systems. These professionals have no personal ties to the company, thus removing any negative theories.
- Know when to run pen tests. This can be at defined frequencies like annually for small businesses, twice-annually for mid-size organizations or quarterly for large enterprises. Note that PCI requires pen testing annually. It is also good practice to pen test during the development of new systems, such as applications, services, or platforms, when system components or modules are in a static pre-production state. This can address vulnerabilities before exposing a system. In addition, make sure to pen test after changes to system components that are expected to have an impact on the security of a system, including the launch of new technologies, major infrastructure or application changes, modification to authentication mechanisms, or logging capability adjustments.
- Document findings and know how to proceed. The results of the pen test should be incorporated into a report reviewing the results to ensure all findings and vulnerabilities are categorized and documented. This report should provide detailed results of the test including a summary of the findings and the technical details for significant findings per project task, in-depth conclusions identifying affected hosts or application identifiers (i.e. Internet Protocol addresses), recommendations for remediation for each significant finding, and other details such as testing limitations, tools used during the test, and any follow-on environment clean up requirements.
Other pen testing tips
- Ensure that the scope of your pen test is appropriate for what you are protecting such as internet exposed applications and services, internet exposed APIs, access gateways and mechanisms, supporting infrastructure (authentication services and management interfaces), and sensitive data sets existing on applications, databases, and unstructured storage repositories.
- Know and define your attacker’s perspective. An external internet-based attacker targets applications and network services exposed to the internet, whereas a malicious insider earmarks sensitive internal network applications or known network locations housing important datasets. Both types of attackers may or may not have credentials to your network and both may proceed with either a wide scope discovery or a pinpoint approach. Attackers can also test roles to see the impact of escalating privileges and pivot to other roles within an application.
Penetration testing is an important part of your security plan. Make sure you get it right. If you would like help from experienced security professionals on running penetration tests for your organization, contact us.