Cyber-criminals unfortunately continue to up the ante of their attacks and in many ways, are adapting faster than the good guys can respond. Given current trends, it’s safe to assume that cyber-criminals will stage increasingly brazen and bold attacks in the coming years. Nothing on the internet is safe anymore and individuals and businesses need to do everything possible to secure their assets.
There is now a greater urgency than ever around protecting your business against cyber-crime and being more vigilant, monitoring the latest trends, and adopting cyber-security best practices. One of the best things a small business (or any business for that matter) can do to protect its infrastructure is to conduct a penetration test.
In a nutshell, a penetration test is an ‘authorised’ attack on a computer system with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data. The basic premise behind a pen test is that it’s better to get ‘friendly’ security auditor to try to hack into your systems rather than find out the hard way that you’ve been breached.
Although penetration testing can be done manually, there are a number of software tools on the market that can automate some of the leg-work and facilitate more thorough testing. Below, I have outlined some of the most common tools a small business should be using to conduct penetration testing of its IT infrastructure.
Metasploit is one of the most advanced and popular exploit frameworks on the market, and the world’s most used software for this purpose. The Metasploit Project is a collaboration of the open source community and Rapid 7. It is a security project focused on delivering information about security vulnerabilities to help penetration testing and Intrusion detection. It is based on the concept of ‘exploit’, which is code that can take advantage of vulnerabilities to facilitate control of systems and avoidance of security measures. An exploit runs a ‘payload’ of code that performs operations on a target machine. Metasploit can be used across all major platforms and formats such as web applications, networks, servers, etc. Both command-line & GUI clickable interface can be used and it works on Linux, Apple Mac OS X and Microsoft Windows.
Wireshark is another very popular penetration testing framework that has been around since 1998. According to its website, Wireshark is the world’s foremost network protocol analyser. It basically allows you to see what’s happening on your network at a detailed level. It is the de facto standard across many industries. Using Wireshark, you can make sense of the flood of network traffic and home in on the minutest details about your network protocols, packet information, encryption etc. Wireshark can be used on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many other systems. The application can be viewed via a GUI or else by using the TTY-mode TShark utility.
Nessus was started in 1998 and focuses on vulnerability scanning. It has been described as the Most Widely Deployed Vulnerability Scanner in the World. Essentially, Nessus scans for various types of vulnerabilities, or security holes that attackers might exploit to gain control of a computer system or network. Nessus began as a free and open source tool but that option has not been available since 2005 and it is now only available as a commercial tool. Nessus is a very robust platform and is frequently updated. It has more than 60,000 plugins. Some of the most important features of the Nessus framework are local and authenticated security checks, a web-based client/server architecture, and an embedded scripting language that allows users to create their own plugins. Nessus is compatible with most platforms and works in most environments.
Nmap, or “Network Mapper,” has been around since the late 90s. It is open source and by far the most popular network discovery platform around. Security professionals use Nmap to find out what systems you’re running behind the firewall and which ones may be vulnerable. Nmap often discovers services that you were not aware were running. This means you turn can turn unused services off, and remove the risk without needing to test them. A big time-saving. A well as producing an inside-the-firewall inventory, you can also run Nmap outside the firewall to compare what you thought your firewall was doing to what it is really doing. Nmap works on most of the environments.
Acunetix primarily role is as a web vulnerability scanner targeted at web applications. The platform uses a state of the art crawler technology that analyses your web applications. It provides SQL injection, cross site scripting testing and PCI compliance reports. Acunetix is one of the more expensive tools on the market but if your business relies on highly functional websites, ecommerce or cloud service offerings, it would be a useful tool to have in the toolbox.
Using an External Consultant
Whilst there are new software tools becoming available all the time, the above tools would provide all you need to carry out a thorough penetration test of your network, systems and websites. That said, a common issue for small business IT departments is that they are too busy supporting vital business functionality to learn new skills and tools. If this is the case for you, then hiring an external consultant could be more cost effective.
If you would like a competitive quote for penetration testing of your small business IT infrastructure, please feel free to contact KRYPSYS on 0845 474 3031 or via our website www.krypsys.com