Dear Friend,
Net ProActive Services has emerged as a thought leader in the
Infrastructure Management space, especially in the
areas of Security, Managed Security and Enterprise
systems management. Our teams have always strived to
provide clients end-to-end, vendor agnostic solutions
and this has been a major reason for our success.
In this fast paced world of technology, there is an
immense pressure on each one of us to introduce
technology into our organization in the most cost
effective fashion. To help your organization achieve
its goals, Net ProActive Services is bringing out a monthly
newsletter called the Nightwatch. The Nightwatch will provide
updates on recent technology developments, process
advancements, and Indian regulatory issues.
In this first issue of the Nightwatch, we cover Ethical
Hacking. In a recent directive from RBI, ethical
hacking has been made mandatory for all banks offering
Internet banking in India. In this article, we cover
ethical hacking, how it is done, what role it plays in
your security plan and how you can prevent your
organization from malicious attacks. Hope you enjoy
reading this article and forthcoming issues of the
Nightwatch.
Cheers,
Chief Executive Officer
How secure is your Information Systems
infrastructure - even the security elements - to
external attacks? Have you been able to keep track of
information security on an ongoing basis with all the
new business and infrastructure changes that have been
taking place in the organization? Do you have the
right internal controls in place? Is the existing
security implementation, actually securing what it is
supposed to secure?
An "Ethical hacking Exercise", also known
as "Penetration testing", attempts to answer
these questions. It is an acid test for checking the
problem areas of an organization's infrastructure
elements and the business risks associated with them.
These tests are a detailed check on the robustness of
the critical information resources as well as the
security elements themselves, in the face of various
threats posed.
The services comprising bespoke designed checks on
the devices and processes, provides the organization
with an element level - network, system, applications
and processes - as well as an overall organization
level view of the risks that the organization might be
carrying.
By undergoing an ethical hacking test an
organization should get an idea of the
vulnerabilities, which are present on the
infrastructure and the information that is exposed to
unauthorized external users as a result of these
vulnerabilities.
However, the customer must appreciate the fact that
70% of all security breaches originate from internal
users and that an ethical hacking exercise will only
reveal the vulnerabilities, which can be exploitable
by external users. To understand the vulnerabilities
exposed to internal users, the organization must
undertake a full-fledged security audit, consisting of
security scans, user interviews and penetration
testing.
If this exercise is being carried out by an
external entity, a comprehensive agreement must be in
place to ensure that the organization's information
assets are not harmed in any way. At a bare minimum,
the agreement must address the following:
- Non Disclosure Agreement
- Days and Times at which the exercise will be
carried out
- Infrastructure that will undergo the test
- The kind of information/ evidence that must be
gathered
Benefits of undergoing an ethical hacking
exercise
- Real Security picture: The ethical
hacking service provides a realistic picture of
the organizations security state with
vulnerabilities identified. This can help the
organization minimize the risk of a hacker causing
damage to its networks, hosts and services.
- Business relevant information: Post
detection of vulnerabilities, a comprehensive
analysis of the same is done to filter out only
business-relevant risks, prudently arranged in the
order of criticality thus making it very
"actionable".
- A sound starting-point: Ethical hacking
gives a valuable starting point to organizations
that need to assess the need for security and is
the first point in setting a security baseline.
- Bench-marking Organizational Security:
The results of the ethical hacking are compared
against best standards and the results of other
companies to build an indicative benchmark for
your security-state.
- Sensitive information in a safe manner:
Since the entire exercise is carried out under a
controlled environment, at agreed times, with
appropriate agreements in place, the IS
infrastructure is not harmed during the test.
