Cyril Voisin, Executive Security Advisor, Enterprise Cybersecurity Group, Microsoft MEA and Paula Januszkiewicz, CEO and Security Consultant, CQURE, sat down with Security Advisor ME and discussed how conducting vulnerability scans can help organisations defend against the increasing number of data breaches in today’s digital world.
What is penetration testing and how can organisations benefit from it?
Paula Januszkiewicz (PJ): A penetration test or ‘pen test’ is a simulated attack on a system or network to exploit its vulnerabilities and determine ways to reinforce the organisation’s defences. It is typically conducted by a person within the firm’s security team or by an external consultant such as myself. It has two main objectives: first, is to find out which elements within your systems need to be updated; and secondly, identify the misconfigurations that could lead to potential breaches in the future.
This process is necessary because in today’s growing digital environment, IT professionals are often expected to innovate in a fast-paced manner and they tend to make mistakes. The most pressing issues that companies face are typically caused by misconfigurations. However, it needs to be very detailed for enterprises to fully realise its benefits. It is important to note that any discovery, no matter the size, is helpful. In fact, the more problems a penetration test can detect the better. Because exposing these vulnerabilities will, of course, enable organisations to strengthen the security of their IT infrastructure.
Cyril Voisin (CV): The way I see it, penetration tests give organisations an outsider’s perspective. Our goal is to provide security teams with fresh eyes and give them an idea on what they might be missing and how they can fix that.
Security teams are, of course, working towards to ensure the resiliency of their organisation’s network defences. And, when there’s nothing happening and everything is going smoothly that’s usually a good sign that your security systems are doing what you need them to do. However, the thing with security is sometimes you think you’re doing too much until something happens and you realise that you weren’t doing enough. As for Microsoft, this is one way we can support our customers. They can come to us if they need to re-assess their security systems and through the help of Paula and her team we can help them carry out a pen test. Through these tests, we can identify various ways an attacker can potentially infiltrate your network. After doing so, we will come up with suggestions as to which system, process and/activity should be improved or changed.
Do you think companies here in the Middle East region are aware of the importance of doing a penetration test?
PJ: They definitely are. However, security is a subject that has evolved rapidly over the last few years and it will continue to do so. Now, while a significant number of organisations here in the region are already conducting penetration tests, I believe that we should do more to increase this number. What I have been seeing today is that a lot of companies opt to integrate multiple tools and solutions into their systems as they think that that’s the best approach. While that may be advantageous to some extent, these solutions if not configured properly can do more harm than good. That is why penetration testing is essential – systems and application get updates, which changes the inter-dependencies of the different solutions and that makes your IT systems vulnerable.
Some say that people are the ‘weakest link’ when it comes to security. Do you agree?
PJ: No, I believe that this notion has been invented by companies who don’t know how to properly deal with security. In my opinion, businesses should make sure that each and every one within their organisations is not ‘weak.’ That’s the idea that enterprises should keep in mind when designing security.
CV: From our perspective, I believe that we should make it a point that everyone is involved when discussing security. We can teach and show them all they need to know but if they don’t change their bad security habits then it will be useless. So, we should make sure that everyone’s on the same page in implementing our security strategies.
What is the impact of cloud and Internet of Things (IoT) technologies on an organisation’s security posture?
CV: IoT technologies have been making really big strides here in the region, especially in the UAE where we have Dubai’s Smart City initiative. Soon, everything will be connected everywhere from smartphones to smart cars to smart buildings. These devices will be communicating with each other, exchanging data and learning from end-users and from one another. However, we believe that even with all of the developments that are being done in the market today, the IoT space is still at a nascent stage. It is still not a priority for most security professionals today, and that is quite concerning considering the increasing number of innovations being made in this segment.
Now, when it comes to cloud, there’s this long-running notion that when your data is on the cloud it will become more exposed to threats as opposed to hosting it on-premise.
To put it into perspective, let’s say you’re travelling from one country to another. Let’s say using on-premise technologies is like travelling in your car. You’ll get to choose which car you want, which route to take, when to leave, and where to make stops. But, it will take a very long time and there are a lot of potential threats along the road.
Meanwhile, if you get on a plane not everything is controlled by you, but you know that the pilot is an expert at what he does and he will get you to where you want to go safely. That’s similar to cloud technologies; you get to choose a solutions provider and an integration partner and let them manage your systems for you. And, if you choose the right partners you won’t only save time, storage and money, but you can also be assured that your data is secured.