X
Število kibernetskih napadov se je v zadnjem letu podvojilo. Vas zanima, kako se jim lahko izognete? Postanite del naše skupnosti.
In the last year, the number of cyberattacks doubled compared to the year before. Do you want to repel potential threats? Join our community.
  • Skip to primary navigation
  • Skip to main content
  • Skip to footer
Carbonsec – Cybersecurity Consultancy Services Company

Carbonsec - Cybersecurity Consultancy Services Company

Cybersecurity services for businesses to be hackerproof, because it sucks to waste unnecessary time dealing with cyber criminals instead of focusing on business.

  • Services
    • Password security test
    • Penetration test
    • Red Teaming
    • DDoS test
    • ICS Security
    • Cybersecurity Consulting
    • Secure Static Code Review
  • Solutions
    • Pentera Automated Penetration Testing Solution
    • SecurityScorecard Risk Rating and Supply Chain Security
    • Simulated phishing attacks
    • Free Tools
    • Breach and Attack Simulation (BAS)
  • Training
    • Security Awareness Training
    • Security for Developers
    • Purple Team Coaching
  • News
    • News
    • Blog
  • Resources
  • Company
    • About Us
    • Core Team
    • Careers
    • Partners
  • Contact
  • SLO
  • Email
  • Facebook
  • LinkedIn

Why is a quality penetration test a must in cybersecurity risk management?

A quality penetration test serves as a basis for system administrators to optimise security devices and the overall IT or OT environment.

24. May, 2023 by Ana Bokalič

Ensuring a cyber-secure environment is often associated with installing new, more advanced security devices. Technological solutions allow ever better protection of the information system. But our experience shows that more than equipment alone is needed to solve an organisation’s security challenge. Only a penetration test can reveal the actual cybersecurity posture.

The key to achieving a sufficiently high level of cyber security is to position and optimise the security devices in the system correctly. Furthermore, raising awareness among users and IT system administrators to improve cyber resilience is fundamental.

A penetration test shows whether the technical protection of your IT system is efficient enough to meet your requirements and cybersecurity criteria. The results of the test offer information on potential vulnerabilities and weaknesses in the configuration. This approach allows you to use your existing equipment better and add new equipment in targeted areas where the penetration test has shown security shortcomings.

There is no 100% security, but we must strive in this direction

As recommended by NIST, detecting security vulnerabilities is one of the critical steps in cybersecurity management, followed by responding to the identified vulnerabilities. By repeating these two steps, you aim to improve your corporate cybersecurity continuously.

Although you cannot achieve 100 % security, you can at least get as close to it as possible by taking suitable measures. Based on the results of security tests, you implement measures to ensure the confidentiality, integrity and availability of information and services at the system and user levels.

Organisations that run OT and IT systems face an additional challenge. Whereas upgrades and changes are “business-as-usual” in the IT system, in the OT, the objective is to maximise the stability and unchangeability of the environment and preferably not change it at all. Security testing must be adapted accordingly.

Penetration test of an IT or OT system – why do they differ?

The goal of IT system and application penetration testing is to ensure the confidentiality, integrity and availability of the business IT system and services used by users and administrators.

The first step is to check what in the IT system is accessible from the outside and, in the next phase, how cyber security is managed in the internal network. We take a systematic approach to checking possible entry points into the network and try to exploit them.

We test web and mobile applications according to recognised methodologies and perform static source code reviews to identify weaknesses in the application’s configuration. Based on the results, we advise developers on how they can improve the security of their products.

Business IT systems and applications are faced with new vulnerabilities that need to be addressed by installing security patches or by making changes to the configuration of security appliances. These environments are relatively flexible and agile, so implementing changes is usually unproblematic.

On the other hand, OT environments such as industrial control systems typically run on older technologies, and security patches are often no longer available. When these networks were completely isolated from other IT systems, they were relatively safe from cyber intrusions.

Once industrial systems have opened to the internet, the attack surface in OT has increased dramatically, and consequently, the security risks. Since OT systems do not tolerate disruptions, security testing of industrial control systems is often performed in a demo environment or as a documentation audit. Additionally, when assessing the risks, it is imperative to consider the supply chain as a possible attack vector. Due to the intertwining of outdated and modern technologies, industrial control systems are much more vulnerable to cyber-attacks today than they were in the past.

Weak passwords are a common risk factor in IT and OT environments

One of the risk factors that IT and OT environments have in common is passwords. Typically, system administrators pay more attention to strong user passwords, but in our experience, system passwords are much more vulnerable. We recognise password security testing as one of the essential steps in security testing that checks the effectiveness of your password policy and the compliance of user, system, and service passwords.

In recent years, the guidelines for password security have changed in length and structure. While in the past, it was considered that passwords should be complex in terms of the use of different (special) characters and symbols, new guidelines place more emphasis on the length of the password. We recommend that you design passwords in longer passphrases that make sense and are easier to remember (e.g. When we were children, we spent summer in Wales, where we enjoyed the seaside and stunning nature). For system passwords, you can also look for password solutions in sentences that all administrators with approved access can remember. Implement two-factor authentication for enhanced protection. With such a password policy, you don’t need to change passwords every few months; changing them once a year will suffice.

Besides password policy, much attention should be paid to raising user awareness on the topics of secure passwords and password confidentiality. In addition, training users to recognise social engineering attacks is also worth its weight in gold.

Why a penetration test?

Let’s conclude with the answer to the initial question: Why is a quality penetration test an essential component of cyber risk management?

Based on our experience, attackers will likely gain access to your internal network through your employees. In organisations that have introduced systematic cybersecurity training for employees, the chances of such a breach are lower than in those that have not. However, even a trained user can be tricked by a well-planned spear-phishing attack.

Once an attacker has gained access to your internal network, it’s all about your security settings and the ability to respond. At this point, the most effective way to check how efficient your security controls are is through targeted penetration tests. In such testing, you define the segment you want to examine and the objectives you want to achieve. A comprehensive and detailed report at the end of the testing is an excellent basis for further actions and improvements.

Interested in a penetration test? Contact us.

Penetration testing

Penetration test

A penetration test helps identify vulnerabilities and offers the foundation for ranking vulnerabilities and giving recommendations.

ICS Security

Maximize SCADA and ICS security with regular security tests that require highly specialized expertise and experienced professionals.

Password security test

Password security test checks the efficiency of your cyber-security and the passwords used in your network.

Blog,  News pentesting,  red teaming

Let’s work together

Get in touch with us and send some basic info about your project.

Get Quote

Footer

ABOUT

Cybersecurity services for businesses to be hackerproof, because it sucks to waste time dealing with cyber criminals instead of focusing on business.

  • Email
  • Facebook
  • LinkedIn

CONTACT

CARBONSEC Ltd.
Hacquetova ulica 8
1000 Ljubljana
Slovenia

info@carbonsec.com

QUICK LINKS

  • Join our community.
  • Blog
  • Terms & Conditions
  • Privacy Policy
  • Cookies

SERVICES

  • DDoS test
  • Penetration test
  • Red Teaming
  • ICS Security
  • Cybersecurity Consulting
  • Secure Static Code Review
  • Training

Copyright © 2023 Carbonsec · Created by mod.si

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT