How Good Is Your Resilience Testing?

Uploaded on 2021-12-08 in TECHNOLOGY--Resilience, FREE TO VIEW

There have always been funny stories about failed recoveries from cyber incidents. One I remember, was back in the days of the floppy disk; the client regularly took backups on disk, giving them to his administrator and asking for them to be filed. It was only when a failure occurred that he asked for the latest backup disk and discovered it had been filed in a ring folder, with two neat punch holes in it!

This story highlights that any resilience measure must be tested on a regular basis, and not just when the ‘stuff’ has hit the fan.

A common test of a network’s resilience is Penetration Testing, or a PEN Test, which is a process that involves discovering security gaps and vulnerabilities within networks and applications. It is often called ethical hacking, as your network is essentially getting hacked but without causing the damage a normal cyber-attack would inflict.
The PEN tester attempts to probe your infrastructure and exploit vulnerabilities with advanced tools and methodologies, just like a real hacker would do. The aim is to uncover any security issues that allow hackers access to sensitive data and systems. Reports from the PEN Test, outline issues enabling IT teams to fix them and improve overall business security.

In theory, a PEN test sounds great, which is why so many businesses jump to the conclusion that they need one. But there are alternatives, such as Vulnerability Assessments, which will tell you, upfront, what security is, and is not, in place. From these reports any highlighted issues can be confronted. 

Vulnerability Assessments - Cost Effective

Vulnerability Assessments tend to be much more cost-effective than a PEN test. They can be run multiple times or, be set for a scheduled scan, say each quarter, to check security posture. This makes fixing issues easier as the work is spread out over the year, whereas a PEN test, done once or twice a year, means any issues discovered need to be fixed immediately and together.

When considering resilience, it is critical to assess how data, including emails, are backed up or, in the event of a disaster, how quickly new systems could be brought online, with all data in place and available to users. Many of the latest systems enable data to be stored in different locations and media types. This is often cheaper and more robust than traditional backup solutions. The ability to test a complete or partial restore is made easy and non-disruptive and can be done monthly. Even testing the Disaster Recovery process is straightforward and can enable an organisation to actually see how long it would take to restore data onto new devices. Such ‘real’ information is vital to understand as it forms the basis of any recovery programme.
 
Networks are not alone in being able to be tested for resilience, it also applies to endpoints and applications, using breach simulation tools known as Breach & Attack Simulation (BAS) technology.

BAS Technology   

A BAS service is fully automated and launches attacks on selected services such as email, web, phishing campaigns, supply chain attacks and ransomware across the full cyber kill-chain. These attacks are fully customisable in an open framework with the most comprehensive repository of assessments and executions gathered from numerous attacks, which allow real-life situations to be explored in any environment.

Once the simulation has been completed, the current exposure, attackable vulnerabilities, misconfigurations, and security gaps are shown. Thereafter, security performance with a risk-score, based on proven methodologies, including NIST, CVSS V3 and Microsoft DREAD can be measured and track ed. This intelligence is vital in order to understand progress in protecting the network and data and can also be a valuable report to share with The Board, to confirm the data security investment.

Arrival of Security Performance Management

 A new area of real-time resilience testing and monitoring has formed under the term ‘Security Performance Management’ (SMP) tools. These systems enable risk leaders to measure the performance of their cybersecurity programme and align investments and actions with the highest measurable impact over time. With security ratings correlated to data breaches and financial performance, security professionals can efficiently allocate resources on the most critical areas of cyber risk within their organisation and facilitate data-driven conversations around cyber security among key stakeholders and, The Board.
 
SMP systems provide tools for tracking and improving a security programmes performance over time. Through broad measurement, continuous monitoring, and detailed planning and forecasting, they enable continuous visibility into the expanding digital footprint, enabling streamlined operations for reducing cyber risk and driving accountability for security outcomes.
 
The cost of a data breach is well documented, but not all data outage is down to a cyber attack, many are due to human error or simply forgetting to renew a machine ID certificate. Therefore, on-going testing and automated scanning, to detect out of date software, certificates, or operating systems, is key to maintaining a solid security position. Testing in a controlled way within a given timeframe also takes away the stress, should something go wrong, and provides time to reflect on results and plan an appropriate way to deal with them. This ensures that investments in security controls are efficient and effective.
 
At the end of the day, a preventative approach is always going to be the most effective in terms of cost and security. But, if you do not know if your protection is working, you could be drawn into a false sense of security and only realise your weaknesses when you are breached - not a good place to be. 

Whatever security solutions are in place, ensure they are tested for effectiveness in a calm and controlled manner, you will sleep better, trust me!

Colin Tankard is Managing Director of  Digital Pathways

You Might Also Read: 

Data Is Your Most Valuable Asset. How Are You Protecting Yours?:

 

« Amazon Cloud Outage Affects Major Customers
Cyber Security In 2022 »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Information Security Research Group - University of South Wales

Information Security Research Group - University of South Wales

The Information Security Research Group has an international reputation in the areas of network security, computer forensics and threat analysis.

JPCERT/CC

JPCERT/CC

JPCERT/CC is the first Computer Security Incident Response Team (CSIRT) established in Japan.

SixThirty CYBER

SixThirty CYBER

SixThirty is a venture fund that invests in early-stage enterprise technology companies from around the world building FinTech, InsurTech, and Cybersecurity solutions.

Cube 5

Cube 5

The Cube 5 incubator, located at the Horst Görtz Institute for IT Security (HGI), supports IT security startups and people interested in starting a business in IT security.

GELLIFY

GELLIFY

GELLIFY is the first innovation platform dedicated to the high-tech B2B market, supporting start-ups and companies.

SyncDog

SyncDog

SyncDog is a leader in enterprise security and the preeminent vendor for containerized mobile application security across cloud & on-premise computing environments.

Crosspoint Capital Partners

Crosspoint Capital Partners

Crosspoint Capital Partners is a private equity investment firm focused on the cybersecurity and privacy sectors.

Data Storage Corp (DSC)

Data Storage Corp (DSC)

Data Storage Corporation is a provider of data recovery and business continuity services that help organizations protect their data, minimize downtime and recover and restore data.

FortifyIQ

FortifyIQ

FortifyIQ's mission is to advance maximum security against side-channel attacks across the entire computing spectrum.

Elisity

Elisity

Elisity Cognitive Trust is a new security paradigm that combines Zero Trust Network Access and an AI-enabled Software Defined Perimeter.

Datastream Cyber Insurance

Datastream Cyber Insurance

DataStream Cyber Insurance is designed to give SMB’s across the US greater confidence in the face of increasing cyber attacks against the small and medium business community.

Arcserve

Arcserve

Defend your data with Arcserve all-in-one data protection and management solutions designed to be the right fit for your business, regardless of size or complexity.

Theos Cyber Solutions

Theos Cyber Solutions

Theos Cyber provides service-first cybersecurity solutions to digital businesses in Asia.

Whitaker Brothers

Whitaker Brothers

Whitaker Brothers data destruction equipment can be found in 115 countries and every single continent in the world, from major military organizations to small offices.

Dapple Security

Dapple Security

Dapple Security is creating cutting edge technology utilizing responsible biometrics that protects people and privacy through a first-of-its-kind passwordless platform.

FOSSA

FOSSA

FOSSA is a leading SBOM (software bill of materials) and software supply chain risk management platform.