The cost of phishing attacks in South Africa amounted to about $320-million in 2013 alone – and it’s no longer a case of “if” your company is going to be a target, but rather “when”.
This is according to Drew van Vuuren, consulting services partner at 4Di Privaca, who points out the cyber-attacks are more widespread as the country becomes more connected to the global network.
This means it’s more important than ever before to undertake regular vulnerability scans and penetration testing to identify vulnerabilities and to ensure, on a regular basis, that an organisation’s security controls are effective.
Vulnerability scanning assesses the networks, servers, and applications for vulnerabilities. On the downside, pure vulnerability scanning can throw up false positives, which could point to a not fully effective security mechanism.
Penetration testing looks at vulnerabilities and will try and exploit them in a safe manner.
Van Vuuren says organisations need to conduct regular testing of their systems for the following key reasons:
* To determine the weakness in the infrastructure (hardware) applications (software);
* To ensure controls have been implemented and are effective – this provides assurance to information security and senior management;
* To test applications that are often the conduit for an attack; and
* To discover new bugs in existing software as patches and updates can fix existing vulnerabilities, but they can also introduce new vulnerabilities.
Vulnerability scanning and penetration testing can also test an organisation’s ability to detect intrusions and breaches. Organisations need to scan the external available infrastructure and applications to protect against external threats, Van Vuuren adds. They also need to test internally to protect against insider threat and compromised systems. Internal testing needs to include the controls between different enterprise systems to ensure these are correctly configured.
He says that, in order to detect recently discovered, previously unknown vulnerabilities, penetration testing should be run on a regular basis. The minimum frequency depends on the type of testing being conducted and the target of the test. Testing should be at least annually, and maybe monthly for internal vulnerability scanning of workstations. Standards such as the PCI DSS recommend intervals for various scan types.
Penetration testing should be undertaken after deployment of new infrastructure and applications as well as after major changes to infrastructure and applications.
