Pratum Blog

Penetration testing explained.

Penetration testing provides a real-world test of your security posture by sending an ethical hacker to break in using the same techniques as actual bad guys. While most people picture penetration testing as someone cracking lines of code, the process entails far more than that. Here's an overview of penetration testing explained from initial scoping to final validation.

Penetration Tester

Scoping

In this phase, clients and testers agree on the ground rules, such as whether the test of a web app extends to the infrastructure behind it. The team also decides whether to alert the client’s IT team about the penetration test or to let them practice stopping what they think is an actual attack.

Recon

Intel Gathering

Like real hackers, good penetration testers use the web, social media and other public sources to identify individuals and parts of the organization to target. They also uncover technical details through port scanning, network sniffing and more.

Vulnerability Scanning

Automated tools scan your system for known vulnerabilities such as open ports and unpatched software that the human pen tester can use in their attack.

Social Engineering

It’s easier to hack a person than a server. So pen testers often try to fool someone into giving up their system credentials through phishing, pretexting phone calls, etc.

Hacking Into the System

Armed with research, ethical hackers attack the system using known vulnerabilities; predictable or leaked passwords; spoofed login sites or devices; and more. Once they gain a foothold, penetration testers pivot through the environment to see how much data they can access.

Organizing Findings

The pen tester begins listing risks they discover and categorizing them according to a common standard such as the OWASP Top 10 for web apps. Risk categories include broken access control, cryptographic failure, insecure design and more.

Reporting

Now the penetration tester formats their work into an understandable, actionable report for the client team. A good reporting process includes an executive summary, an in-depth technical report and an action plan listing recommended remediations.

Remediating

Armed with the detailed report, the client’s team can begin remediating moderate and high risks.

Validating

After the IT team remediates risks highlighted in the external portion of the penetration test, the pen tester returns to confirm that each risk has been eliminated. This confirmation is included as part of all external engagements.

EDR MDR XDR

If you’re still trying to make sense of XDR, MDR and EDR, you’re not alone. The market doesn't have universal definitions of these terms, and overlap among the solutions makes it easy to drown in the alphabet soup. This blog summarizes the key differences in each solution so you can ensure that you’re using the right tools to secure your environment.

What the “DR” Part Means

The obvious common element in each solution is the DR, which stands for “detection and response.” That means these tools go beyond simply recording an event or blocking software by looking for known malicious signatures. Managed XDR and other DR tools actively assess patterns of malicious activity and shut down suspicious programs, quarantine devices, etc.

DR solutions have proven so effective at reducing attacks that most cyber insurance carriers now require them for anyone seeking to buy or renew a cyber policy. These tools have become a cybersecurity must-have because they address these growing threats:

  • Expanded attack surfaces/dispersed workforces – Organizations can no longer lock down all their data on company-owned devices inside the company building. Now you must secure your data in a world where employees are using mobile devices, home networks, etc.
  • Hackers lingering in systems – In a typical breach, hackers get into the environment months before administrators realize it. DR detects suspicious activity far sooner.
  • Growth in fileless malware – This malware type (also known as non-binary malware) can slip past most antivirus software, which looks for known file signatures. By some estimates, even the best antivirus solutions block only 50-60% of the threats.

EDR – Endpoint Detection and Response

Endpoint Detection and Response Flow Chart

EDR protects your environment’s biggest vulnerability: endpoints. In the Wild West of remote workforces, employees are using networks you don’t control; sharing devices with family members; installing whatever software they want; etc. In most environments, about 70% of all attacks start with an endpoint.

EDR provides visibility into the endpoints. It constantly logs and monitors activity in order to identify potentially malicious activity on endpoints and take action to stop or mitigate the attack. Rather than looking for file signatures as antivirus solutions do, EDR looks at the behavior of files. With this capability, EDR regularly spots zero-day threats and other attacks that security pros haven’t seen before. In addition to the protection, it looks to provide context around how the attack started and what it attempted to do.

EDR’s powerful response capabilities come from playbooks that guide the solution’s actions after spotting malicious activity. These playbooks determine when to block a file, quarantine a device, etc. Clearly, proper playbook tuning plays an enormous role in not only stopping malicious activity but in preventing a stream of false positives from overly sensitive triggers.

XDR – Extended Detection and Response

Extended Detection and Response Flow Chart

Even if you have EDR covering your endpoints, attacks will still arrive through your firewall, cloud workflows, email system, IoT devices, servers and more. XDR provides a holistic view of your extended technology ecosystem, encompassing endpoints as well as every other part, regardless of the vendor that created each component.

XDR’s critical advantage is correlation of events. XDR solutions monitor telemetry data such as Syslogs from across your environment to create a unified response. By leveraging artificial intelligence and machine learning, XDR identifies suspicious patterns amid the millions of system events that occur each day. In simple terms, XDR is designed to notice two seemingly unconnected activities in distant corners of your environment, recognize the pattern of a larger attack and take appropriate action. Without XDR, the left hand may never talk to the right hand, letting attackers lurk in your system far longer before they’re detected.

MDR – Managed Detection and Response

Managed Detection and Response Flow Chart

With MDR and Managed XDR, a third party (known as an MSSP or Managed Security Services Provider) manages the tools described above. Management goes far beyond simply responding to alerts. Top MSSPs constantly tune complex XDR solutions in response to emerging threats and your unique environment. Partnering with an MSSP relieves your organization from staffing up to run your own in-house SOC or asking an already-overtaxed IT team to take it on.

A good Managed XDR service has a team of SOC analysts constantly monitoring your environment and tuning the tool for optimal performance. The analysts review alerts and notify you when you should take action. They regularly revise proprietary playbooks and rules in response to an ever-changing landscape. (When the Log4j vulnerability emerged in December 2021, for example, Pratum’s SOC wrote new rules for our Managed XDR clients within 12 hours.) In short, a Managed XDR service gives you access to cutting-edge security tools and a team of pros who know how to get the most from the tools.

A Managed XDR service also gives you a big advantage if you face a breach and need support with incident response/digital forensics. Experienced SOC analysts can quickly leverage XDR to develop an attack story that goes far beyond merely stopping the breach. Managed XDR lets you identify all the places the attacker went and what they compromised, ensuring that you can fully stop the breach and recover data more quickly.

To learn more about how Managed XDR service can secure your environment without additional staffing, contact us today.

Information Security Policies, Procedures, and Standards

Information security policies, standards and procedures typically fall to the bottom of many companies’ to-do lists. Nobody gets excited about the tedious process of creating these kinds of documents. But it's worth making the effort to create and maintain these key documents. Investing some time now will make your organization far more secure and efficient in the months and years ahead.

What They Are

First, let’s break down what goes into each of these governance documents.

Information Policies – The “What”

Policies are the high-level statements that communicate your objectives. Think about the information security policies as the vision statement that clearly states your values in this area and what you intend to put into action. Your organizational culture will drive how you set policies, as they reflect how you view risk, what role you expect end users to play in security and more.

Information Standards – The “How Often/Much”

Standards go more in-depth and elaborate on the policies. Standards will specify details such as:

  • Who will implement the standards
  • Specific responsibilities of the associated departments
  • Groups affected by the standard
  • Who owns the individual standard

Standards lay out specifics of how each control area fits into the overall information security program. For example, if a control framework you’re following requires specific steps around firewall settings or encryption measures, your standards will explain what you’re doing about those things. When you're trying to satisfy most compliance requirements and frameworks, you’ll hear a lot about your “policies.” But standards are typically what they're looking for.

Information Procedures – The “How”

Procedures are the step-by-step instructions for fulfilling the policies and standards. For every control area your policy covers, you should have corresponding procedures explaining how the organization will carry out that policy. Procedures turn policies and standards into tangible action steps. In procedures, the business should call out specific employees and technologies that carry out each procedure.

5 Situations Where Your Work on Policies/Standards/Procedures Pays Off

1. You experience a breach – Your Incident Response plan and Business Continuity/Disaster Recovery plans will help limit the damage and restore your operations as quickly as possible.

2. You have to discipline/dismiss an employee for inappropriate use of technology – Your Acceptable Use Policy, which you had each employee sign on their first day, lets you enforce the rules.

3. Vendors demand evidence of your security program – You can share a wide variety of documents to show that you take security seriously at all levels of the organization.

4. A user accidentally gives their credentials to a hacker – A solid Access Authorization/Identity Access Management policy limits each user’s data access, limiting how much a hacker can pivot within the system.

5. An entry-level employee makes a bad choice on a firewall setting – Your Change Management policy builds in reviews to catch unintended consequences in time.

Why You Need Them

Now let’s explore why these three types of documents are important for your business.

Meet Compliance Requirements

It’s just good business to have solid policies/standards/procedures. But it usually takes outside pressure to make most organizations get serious about their policies and standards. In today’s tougher cyber insurance marketplace, for example, you may not even be able to renew a policy without having basic policies/standards in place. At minimum, creating these documents helps you get much better rates on insurance. Many large companies are also taking a harder look at the cybersecurity practices of all their vendors. So your company’s contracts may soon rely on you creating the policies/standards/procedures that prove you have a mature security posture.

Establish Continuity

It's crucial that you show your employees exactly what is expected of them. A murky vision inevitably raises questions. Creating a universal guide for everyone will unify and direct the team in times of crisis or confusion.

Allow Enforcement

A written governance program gives leaders a way to enforce the practices they want employees to follow. If these expectations are laid out clearly in easy-to-find policies, standards and procedures, you can hold everyone accountable for abiding by them. Your employee onboarding process should build cybersecurity awareness into every employee’s first day on the job. One of their first tasks should be reading applicable policies and signing a statement that they have read the documents and agree to comply with them.

Create a Security Culture

Executives should be involved in creating the policies, standards and procedures and should play a role in socializing them throughout the organization. If an executive is involved in the creation of these documents, they’re more likely to understand what’s happening when problems arise. That makes it easier for IT professionals, and other employees, to communicate and understand what is important to the executives.

How to Get Started

1. Identify Your Needs

Your organizational size and industry niche will mandate some of the governance documents you need. A large business with numerous employees typically requires a more detailed plan than a small organization.

2. Build an Action Plan

You need to address how to get the governance program in place. Talk with your IT operations team to make sure they’re ready to follow the program you are trying to build. If not, find out what resources and tools they need to achieve the organization’s security goals. Open communication is key.

3. Maintain and Update

Understand that once you have your policies, standards and procedures in place, you still have work to do. Maintaining and updating your documents is just as important as the initial creation process. Times change, and so should your security governance. Be sure to review all these important documents annually to proactively evaluate the security controls related to the confidentiality, integrity and availability of your business’ sensitive information.

4. Test

Several policies and procedures require regular testing to confirm that everyone understands them, that they’re still current and that somebody actually knows how to do each step in the procedures. Incident response plans, in particular, require regular testing via tabletop exercises and other evaluations. During testing, many organizations realize that “restore data from backup,” for example, isn’t quite as straightforward as it sounds. That prompts them to update the plan to cover every detail in a way that makes them truly ready for quick deployment.

If you need help creating and maintaining policies, standards, and procedures, Pratum can help. Contact us today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.