Готово!
Скоро материал придет на указанную электронную почту. Также подписывайте на нас в Facebook
Ok
Penetration testing: instructions for action
Industry regulators (FSTEC, FSS, NCIRCC), as well as line ministries, issue numerous regulations, bulletins, and recommendations for improving the security of information resources from targeted attacks. It is difficult for untrained specialists to understand, let alone meet all the requirements. To avoid experimenting with company security, it is worth turning to professional systems integrators with FSTEC and FSS licenses. But in case it's not possible, you can use the following instruction or plan of action to implement regulatory requirements to reduce the number of IS threats.
Plan of action
First, the company should organize a working group, which should include competent professionals responsible for information security and the smooth operation of the infrastructure of the enterprise. The same group will be the one to respond to an incident, in the case of any threat or attack against the company. The formation of the working group, along with the relevant regulations, are to be consolidated in the order; a specialist responsible for interaction with regulators must be appointed.
Taking into account the recommendations issued and the requirements in the field of IS, the next step is to develop a plan of action to be implemented at the enterprise. This plan is also put "on paper" and a person responsible for its implementation is appointed.
The next step is to conduct a security analysis and vulnerability identification to record the current state of affairs in the enterprise and determine the level of security. After receiving the results of the analysis, a report on the current state of security should be provided along with the recommendations to be taken into account for the next stage of the direct implementation of organizational and technical measures.
After performing these actions, the security analysis is repeated in order to confirm that the activities have indeed been carried out successfully.
It's important to note that during the work, the designated responsible person must constantly communicate with the regulator. They need to notify them of the work being done, and, upon completion, report that all activities have been completed within the established time frame.
Security analysis
Depending on the organization and its goals, the stages of security analysis will be different. In any case, the first phase will always be the collection of baseline data, followed by approval of the scope of work and boundaries of the test. Specifically, this step will also help identify the external IP addresses and websites that will be scanned, as well as outline the time frame in which testing can take place. Approving IP addresses and documenting them is also important as to avoid being prosecuted by law enforcement agencies. As for CII objects, the very fact of security analysis must be agreed upon with the regulator.
For the duration of the security analysis, a responsible person fr om the company must be appointed so that in case of any incident that may occur during the scanning, they could respond in time. There are cases wh ere scanning only needs to be done at night, during the so-called technological windows, without affecting the existing infrastructure.
What is the process behind external testing? Simple vulnerability scanning is performed with available automated tools, and it is, in and on itself, a pretty powerful tool. During this scan, we use the same utilities and vulnerability scanners that could potentially be used by attackers. These can be utilities available on the shadow hacker market, as well as certified scanning tools recognized by domestic regulators. The scan helps identify the landscape that the potential attacker will be working with.
Why is it important to perform scans? Because that's what the attacks start with. Not very competent attackers will be using the very same scanners. If the vulnerability scan doesn't find anything to latch on to, they probably won't go any further (unless your organization is the target). And if you have everything available right in the open, free for the hackers to work with, they will become interested, and develop the attack further. Therefore, vulnerability scanning, although a low-cost solution, yields significant results.
If you want, you can exploit the vulnerabilities found to show that the vulnerability does, in fact, pose a great threat.
In addition to external testing, you can also conduct internal penetration testing and see how the information security service works inside the company and identify other types of IS breaches. For example, to check corporate Wi-Fi networks or send phishing emails.
Try and get new means of protection, or settle with the existing ones?
The rapid purchase and implementation of new solutions are hampered by a number of factors: sanctions from Western vendors and the difficulty of choosing a truly effective domestic solution. So you should concentrate on the means that are already available at your company to their full capacity and perform hardening of all means (firewall, cryptographic protection, anti-virus tools, internal regulations on password policy, remote access). In most cases, working with these tools allows you to take care of most of the obligatory information security measures.
It's also important to interact and share experiences within the industry. For example, ICL Group concludes an agreement with customers on cooperation in combating cyberattacks. This agreement is not binding from a financial point of view, but it allows you to share information about what is happening in the world of computer security companies and track trends. As part of this agreement, lighter versions of vulnerability scans can also be used.