In Part II of our series looking at new threats for the 21st century, we continue our discussion with Chained Exploits: Advanced Hacking Attacks from Start to Finish co-author Andrew Witaker. He offers his insight regarding the role and purpose of penetration testing, and discusses some of the best defenses for enterprises as well as small and medium sized businesses that can be put in place to combat outside threat.
BrightHub: Is penetration testing something that a small business should consider? What are some of the things that a business should test for as well?
Andrew Witaker: Yes, all businesses should consider penetration testing. However, the scope of the assessment is going to be different from that of a large enterprise. Often, small businesses may just test for compliance standards, such as PCI (a standard for credit card processing) or, in the case of the healthcare industry, HIPAA. Some small businesses may simply run vulnerability scanning software instead of doing a full penetration test.
Bright Hub: What are the best defenses that a small business can have in place? And are there sources or events that you recommend where business owners and IT experts can get up to speed to combat the growing threats?
Andrew Witaker: The best defense is education. This is why all three of the authors not only perform penetration tests, but are trainers with Training Camp. We have learned that the best way to be armed against attacks is to be educated about how the attacks work. Security professionals implement controls like firewalls, anti-virus software, intruder detection systems, and other technologies but often fail to understand the anatomy of how sophisticated attacks actually works. By reading books like Chained Exploits and attending training, security professionals can be equipped with the knowledge they need to assess the best approach to securing their network. As the old saying goes, knowledge is power.