Why would your company need Penetration Testing?
Most businesses hold information about their clients in an electronic format. This could be in the form of client data bases, data that is gathered for customer spending habits, payment information, research and development ideas or physical prototypes. How would your business cope if a competitor wanted to steal your research and development plans, or hijack your confidential data for resale on the black market? Or if a criminal just wants to steal your valuable equipment such as computers or other equipment that is vital for your business? This is where penetration testing comes into its own!
Data security has become the focus of 21st Century business. This is because, as technology advances, so do the skills of the cyber criminals. Most businesses over the last decade or so have changed the direction of security risk planning to focus on protecting their electronic data. Whilst the change has been necessary, it has often come at the expense of “physical security”. When Penetration Testing is added in conjunction with data protection to a business security plan, you can be assured that the adverse risk to both physical and electronic property is reduced. This page aims to provide clarity on how Penetration Testing can improve your business security plan.
When business leaders create their security risk assessments they need to consider all aspects of how to keep their business safe from, not just criminal activity, but ‘Acts Of God’ too. [For example,] Is your data safe if there is a fire or flood? An assessment will identify potential fire and flood risks, checking that there are adequate prevention policies in place as well as looking for potential areas of vulnerability to, amongst other things, theft.
What Makes for Good Penetration Testing?
A good Penetration Test will be comprised of multiple strands that will provide an analysis of potential weak spots and highlight strengths. It is important to remember that security breaches can happen from outside your building too. These strands are generally broken down in to different tasks which enable you to request a more comprehensive test, or tailor the test to the individual needs of your business.
In this day and age of complex technology, the bricks and mortar of business are often forgotten, so the first step would be to check out the physical exterior of your premises.
Doors, windows and walls
How long it is since you [last] updated the locks on your windows and doors? With the right set of tools it doesn’t always need an expert to break in by picking your locks.
How many ex-employees (disgruntled or otherwise), might still have keys and fobs that will let them in? Criminals still use these tried and tested techniques to gain entry.
However, there are multiple ways a criminal could gain access to your property. Our investigator will complete a thorough examination of the outer perimeter, ensuring that there are no weaknesses in windows, walls and fences. Once that has been done, the investigator will look at potential access points into your building. Are you sure that your employees are closing windows when they are finished for the day?
A ruthless hacker can utilise wireless equipment to steal information before even putting a foot into your actual premises. It is possible with easy to obtain devices such as laptops and mobile devices to hack in to a companies WiFi. The nature of WIFI means the business is not always aware of who could be sitting in the car park helping themselves to your client lists or research and development information. There are of course ways that WiFi can be used as an internal breach to security too.
The first step is getting into the building. There are lots of ways that unscrupulous people will try to do this. Here are some examples:
Most people are nice. This means that when they are walking through the door into an office building or a secure area, they like to make life a little easier for the person walking behind them and hold a door open for them, ‘tailgating’. The problem is, that this can mean that a person who is not authorised to can gain access to the most secure places in your business. How vigilant are your employees when it comes to tailgating, through not just the external entrance, but secured internal doors?
Once a person is in the building, they may need to get past the concierge, receptionist or building security (otherwise known as the “human firewall”) is the next hurdle for the criminal and is usually achieved by a method called “Social Engineering”. People who are trying to gain unauthorised access could try various methods of disguise as seemingly legitimate workers such as plumbers, electricians, pest controllers or agency cleaners to name but a few.
This enables the criminal to manipulate the entrance manager to allow access or even give away protected data. So it is important that the person managing the entrance is aware of the correct protocols to check the identity of those entering the building. The technological equivalent to this form of breach are emails that provide links to fake websites, or phishing emails that are requesting seemingly harmless data that is often used as security checks for forgotten passwords, like place of birth or your mother’s maiden name.
Of course the person managing the entrance to your business must also be on the lookout for forged passes. The criminal could have been watching to see how legitimate people gain access to your building. Do they need a fob? Or an ID card with or without a magnetic strip?
RFID and WiFi for Penetration Testing
A criminal can use a cloned RFID badge to get past security. In reality it can be quite easy with the right equipment to clone company badges and fobs. Our Penetration Testing experts will attempt to clone your badges to see how far inside your organisation they can get before they are challenged. Once the test is complete, the assessor will offer solutions to prevent the criminals gaining access in the same way.
Reducing the risk of RFID Cloning of your ID Cards and fobs
The way criminals clone your RFID data is by using a RFID reader. The criminal needs to be in reasonably close proximity to the card, but does not need to have it in their possession. There are a few simple measures that can help reduce this risk. A metal sheet or packet prevents the reader accessing the data. If you do use this kind of card or fob, it is recommended that you use a secondary form of authentication such as a fingerprint (or other biometric data) alongside it.
The criminal may not be planning to walk away with your information there and then. It could be that they are intending to leave a little something behind. A USB device can easily be planted and relay keystrokes [and/]or data from your hard drive to an external source. A “bug” can be used to record meetings and phone calls. It is important to consider access to your network in public or communal areas as well as the more restricted offices and production areas. A Penetration Test will identify the most at risk places in your organisation.
Explaining Shoulder Surfing
Simply put, criminals use a technique called “Shoulder Surfing” to look over your shoulder to see which keys that you press when entering a security code to enter a building, or when you are typing in a password at your computer. When you are at a cash machine in the high street or in line at the checkout in a supermarket, chances are you are careful when you are entering your pin number. Can you be sure that your employees are as careful when entering the restricted areas in your company?
Ways to combat Shoulder surfing
Easy ways to prevent a criminal gaining access by shoulder surfing include making sure you cover your hand when typing in the number or passphrase. This can be with a physical shield over the keypad, or getting in to the habit of covering your hand. It is also a good idea to choose random phrases or numbers that would make it harder for someone that is taking a sneaky peek over your shoulder to memorise quickly.
Data protection is not just a legal responsibility. It is vital to the protection and success of your business.
How rigorously do your staff members stick to your clear desk policy? Do they always lock their computer and lock files away when they are not sat at their desks?
Paper is still a necessity to many businesses as clients send in letters, staff make notes, and of course provide receipts. In recent bin searches our assessors have found personal phone numbers, password information, details of clients, even receipts from the local shops which give away times when there might be less staff in the building.
A Penetration Test could find any lapses and suggest solutions for protecting your paper trails.
What Equipment will our Tester need to complete a thorough test of your current security?
- A professional lock picking set: there are a lot of different types of locks on the market and our assessor will want to be sure that your locks will stand up to the test.
- A good quality camera: not just to gather information on employee routines but to provide evidence to support the findings of the test.
- A pair of binoculars: used to gather open source intelligence which will guide how break-in simulations are to be implemented without alerting the employees that the test is underway.
- Complex computer equipment: USB hubs, wireless access points, and RFID readers are some of the technology required by our assessors to test your network security and identify where the breaches are possible.
On this page we have looked at the type of breaches that can happen and how we at Alpha 1 Legal Services can reduce the risk to businesses.
The best way our investigators can objectively identify strengths and weaknesses will be to plan and carry out simulations of attempts to breach your current security measures. Do you know how to protect your data if the fire alarm suddenly goes off? Do you have a plan to help your staff identify and deal with intruders? If you have a comprehensive Penetration Test, the investigator will help you find solutions to any vulnerable areas and bolster the protection you have in place for your company.
The assessment starts with Open Source Intelligence Techniques that enable the investigator to find out as much about your business [as possible] before they even set a foot, digital or otherwise, on to your physical property. Then the investigators carry out the planned breaches, and finally they will complete a comprehensive report with recommendations to improve your security.
Think your company would benefit from a little penetration testing? Give Alpha 1 Legal Services a call now, or just send us an email and we will get back to you.