News

Get the Latest News and Press Releases

7 Reasons Why Your Organisation Needs To Do A Pentest

A pen test is generally performed to find vulnerabilities and fix them before an attacker does. Sometimes, the IT department is aware of the reported vulnerabilities but still needs an external expert to officially report them so that the management is sure of the vulnerabilities and can fix them properly. Having a second set of eyes to corroborate all the vulnerabilities is always a good security practice. Let’s find out the reasons why performing pen testing is important.

Reasons why Penetration Testing is Important

1. Meeting compliance: There has been a mandate in the payment card industry to follow the PCI-DSS regulations for an annual and ongoing penetration testing. A pen-test allows the enterprises to mitigate the real risks associated with the network.

2. Maintaining confidentiality, revenue and goodwill: Failure to protect the confidentiality of the data can result in legal consequences and a loss of goodwill. A security attack can affect the accounting records, hampering the revenue of the organization. Penetration testing as a service not only helps the enterprises discover the amount of time that is taken for an attacker to breach the system but also helps in confirming the companies to prepare the security teams in order to re-mediate the threat.

3. To verify secure configurations: If the security team of an organization is doing a good job, and are confident of their actions and the final results, the penetration reports verify them. Having an outside entity acts as a confirming agent of whether the security of the system provides a view that is lacking the internal preferences. An outside entity can also measure the team’s efficiency as security operators. It helps in identifying the gaps in the system.

4. Security training for network staff: Penetration testing companies allows security personnel to recognize and respond to a cyber attack types properly. For instance, if the penetration tester is able to compromise a system without letting anyone know about it effectively, this could be indicated as a failure to train staff on proper security monitoring effectively.

5. Testing new technology implementation: Testing the technology, before it goes into the production stage is considered to be a perfect time. Performing a penetration test on new technologies, before they go into production often saves time and money as it is easier to fix the vulnerabilities and gaps before the application goes live.

6. Reputation: Your company’s reputation will definitely suffer when a data breach occurs and it is publicly announced. This may cause a loss of customer confidence and lead to a drop in revenue and profit. Your company’s share price will also be affected as the investors may worry about the above impact. As people get to understand about data privacy and how it affects them, the impact of a data breach will increase tremendously that could cause significant loss to the company.

7.Competition and Rivalry: Losing your company’s proprietary data will be disastrous, especially if this data is in the hands of your rival companies. While your competitors may not be the one to perform cyber attacks on you, they could acquire this data indirectly. Cybercriminals like to publish their wins on public websites, such as Pastebin, or sell this information in the dark web in the form of cryptocurrencies. Your competitor may get hold of this information through one of the 2 possible ways and you may never know it. This goes back to the risk assessment to identify the threats to your proprietary data and its impact on your business.

SOURCE: Horangi TestingXperts

THE PHISHING PANDEMIC

IN THESE CONFUSING TIMES WHEN WE ARE TRYING OUR BEST TO THRIVE AMIDST OUR STRUGGLE BETWEEN KEEPING AWAY FROM COVID-19 & GETTING INTO THE WORK-FROM-HOME CULTURE, WE ARE BEING TARGETTED BY A THREAT, LESSER CONCERNED ABOUT OTHERWISE. STUDIES & NEWS PROVE AN ALL-TIME HIGH PEAK IN THE PHISHING ATTACK VECTORS THAT CAN BE AFFECTING FROM AN INDIVIDUAL TO A LARGE-SCALE ORGANISATION ALIKE. WITH OUR PERSONAL OR ORGANISATION’S SENSITIVE DATA AT STAKE OF EXPLOITATION, THE THREAT SOUNDS AS DANGEROUS AS THE COVID-19 ITSELF, THE PROTOCOL TO SAFEGUARD OURSELVES IS EQUALLY SIMPLE TO FOLLOW.

CONSIDER THE FOLLOWING CASES OF RECENT PHISHING ATTACKS:

  • IN ONE CASE, FBI AGENTS REPORT THAT EMPLOYEES AT AN UNNAMED FINANCIAL INSTITUTION REPORTED RECEIVING AN EMAIL FROM SOMEONE POSING AS THE FIRM’S CEO AND ASKING TO SWITCH A PREVIOUSLY SCHEDULED $1 MILLION PAYMENT TO A DIFFERENT DATE “DUE TO THE CORONAVIRUS OUTBREAK AND QUARANTINE PROCESSES AND PRECAUTIONS.”

  • IN ANOTHER CASE, A FRAUDSTER POSING AS A CLIENT FROM CHINA SENT AN EMAIL TO A BUSINESS REQUESTING THAT ALL INVOICES BE CHANGED TO A DIFFERENT BANK ACCOUNT DUE TO “CORONA VIRUS AUDITS,” ACCORDING TO THE FBI. THE VICTIM SENT SEVERAL WIRE TRANSFERS TO THE NEW ACCOUNT BEFORE DISCOVERING THE FRAUD.

WHAT EXACTLY IS PHISHING?

Wikipedia describes Phishing as:

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.

WITH THE CURRENT SITUATION, NO ONE IS FAR FROM THE THREAT. THAT EMAIL YOU RECEIVED REQUESTING YOU TO MAKE A DONATION IN THE PM-CARES FUND IN INDIA WITH A DIRECT LINK TO THE PAYMENT GATEWAY, OR THE SMS SAYING YOU JUST RECEIVED Rs. XXXXXX FROM THE STATE/CENTRAL GOVERNMENT AS A COVID-19 AID, CLICK THE LINK BELOW TO AVAIL, ARE ALL SUCH EXAMPLES OF THE PHISHING ATTACKS IN THE COUNTRY. WE IGNORE THESE BECAUSE WE UNDERSTAND THAT THE GOV. IS NOT DOING ANY SUCH ADVERTISING CAMPAIGNS & THESE ARE QUITE OBVIOUS ONES TO SPOT. HOWEVER, THE MORE COMPLEX ONES, WHICH CANNOT BE SPOTTED ALSO EXIST BETWEEN THESE ONLY. LET’S FURTHER DEEP DIVE IN A FEW OF THOSE!

THE MOST EFFECTIVE ONE SO FAR HAS BEEN: MASQUERADING URLs WITH PUNY CODES

A LITTLE SURF THROUGH THE INTERNET CAN EXPLAIN YOU WHAT UNICODE & ASCII VALUES ARE. PUNYCODE IS A WAY OF CONVERTING WORDS THAT CANNOT BE WRITTEN IN ASCII, INTO A UNICODE ASCII ENCODING. THIS LOOPHOLE IS USED BY THE ATTACKERS TO CHANGE THE CHARACTERS OF THE URLs TO REPLICATE THE LEGITIMATE WEB ADDRESSES & PHISH ON THOSE WEBSITES.

FOR A BETTER UNDERSTANDING, LET US ANALYSE A CASE HERE:

THE CURIOUSLY-NAMED SYSTEM KNOWN AS PUNYCODE IS A WAY OF CONVERTING WORDS THAT CAN’T BE WRITTEN IN ASCII, SUCH AS THE ANCIENT GREEK PHRASE (means Know Yourself) INTO ITS ASCII EQUIVALENT LIKE : 

WITH THIS, WE CAN REGISTER INTERNATIONAL DOMAIN NAMES WITH THE ABOVE ENCODING (SINCE FOR REGISTRATION WE CAN USE ANYTHING FROM A-Z, 0-9, and the hyphen ‘-’)

BUT THE GLOBAL DOMAIN NAME SYSTEM (DNS), IS RESTRICTED TO THAT LIMITED SUBSET OF ASCII CHARACTERS IN DOMAIN NAMES.

SO IF WE WERE TO REGISTER: .COM

SOME MODERN APPS MAY RECOGNISE THE PUNYCODING, AND AUTOMATICALLY CONVERT THE NAME FOR DISPLAY AS: .COM

NOW THIS STILL DOESN’T MAKE SENSE, RIGHT?

SEE, THE TWIST HERE IS THAT SOME ROMAN CHARACTERS LOOK SAME AS OTHER CHARACTERS IN OTHER LANGUAGES.

HENCE, IT IS CERTAIN THAT WE NEED TO CHECK BACK AT THE URLs BEFORE WE CLICK THEM. IF YOU FOUND THIS INTERESTING & WANT TO LEARN MORE ABOUT THE PROCESS IN THE ABOVE MENTIONED PUNY CODE & OTHER ATTACK VECTORS & LEARN ABOUT SAFETY MEASURES AS WELL, DO JOIN OUR FREE WEBINAR ON 22ND APRIL’20.

Scroll to top