Trust But Verify - Why You Need To Run A Penetration Test

Welcome back to another episode of Cappuccino Chat. This time we're talking about penetration tests on for your network and why you need to trust but verify. All right, so this time we're talking about penetration tests and how the conversation typically comes up is when I'm talking to new prospects about their security and their networks and what we can do for them and how we can help them. A lot of times I hear, um, you know, I'm good. I've never been hacked. I don't need all that security stuff. And typically the next question I ask is, how would you know if you were? Uh, today's world, we're not just going to pop up screens on your um monitor for you all the time and let you know, hey, hacker's here. I've stolen all your data. Um, or hey, give me Bitcoin and do all this different stuff. It's not like that anymore. Nowadays, they're a little more stealthy. They're you're going to sit in your systems and wait and watch and see who else you know and how they can spread to other parts of your network to get the different data. Remember, they want to get to your HR data, your payroll data for your um employees, plus any of your client information, any uh anybody else you're in communication with via email. So, this all takes time for them to try to make sure that they don't throw up alerts and alarms in your system. And if they are successful in doing this, again, they're not announcing themselves and letting you know that they're there. So that's why this penetration test can be very helpful. It can let you know about vulnerabilities on the system, active ways that a hacker can get in. So that's kind of one of the differences we see is a lot of people will pass off vulnerability scans as a penetration test. A vulnerability scan is not a penetration test. A vulnerability scan is going to let you know of known vulnerabilities that exist on the systems. A penetration test is going to take that a one big step forward and say here's a vulnerability. Was I able to get through it and actually compromise a system using that vulnerability? If yes, then I let you know. If no, there's no reason to report on it. it's not actively being able to be compromised via that vulnerability. You may have some other security um layers in place that is stopping that vulnerability from being exploited. So there's no reason to waste your time fixing that vulnerability if you've already mitigated it uh via some other method. Right? So that is the biggest difference between a vulnerability scan and a penetration test. Now, where we typically see these both mentioned is on your cyber security um questionnaire form that you get once a year or when you first apply for cyber uh insurance. So again, they're going to ask you, do you do a vulnerability scan? Do you do any kind of penetration tests? Right? Two different things. Um, you want to answer yes to as many of these as you can, but again, we can make comments on there. If you're doing a penetration test, that basically includes the vulnerability scan, where a vulnerability scan is just scanning it. Now, one thing that's coming up in here is they're not asking you did you mitigate those vulnerabilities if found. It's asking if you're doing a scan. They're assuming most people will then fix what is being found. So, it's kind of implied even though they're not asking. So, that's what's really going on. So, remember with the cyber insurance, it's 100% or it's 0%. So, in other words, if you got 10 users or 10 computers and nine out of the 10 are doing whatever the that they're asking you for, but the 10th one isn't, the answer is no on cyber security um insurance forms, right? Because what the last thing you want is to say you're doing something, have something happen on that 10th computer that didn't and then when they come up and do an audit of your system and find out you didn't have whatever it was on that 10th system, they're basically going to deny your claim and you've been paying all those premiums for no reason because basically they're going to say you lied on the form when that's not what your intention was. What you thought everything was being taken care of. We need to make sure of we need to trust but verify. But we've all heard that old saying, and this is where it comes into practice as far as security on your network goes, is trust but verify. These are services that we provide. We can add these on, do one-time scans, we can do quarterly, by annual scans for our clients. There is a cost. These can be quite costly, but we have a system in place that allows us to work with a third-party independent um penetration test company to that we can send off to your insurance if they want proof and any of the reports, any of that kind of stuff to allow us to do this. This is not us scanning our clients networks saying, "Oh yeah, everything's perfect because we're taking care of you." It's not like that. We want to know if these things are happening, too, right? There's constantly new vulnerabilities being found. Microsoft is patching them, but you've got other vendors that aren't always updating stuff. So, it's always a good practice to scan your network like this, doing a penetration test just to trust, but verify. If your IT person is saying, "Hey, we got it all taken care of." How do you know? Let's let's verify it. How do you verify it? Getting a true penetration test, not a vulnerability scan, a penetration test. So now all that does either the vulnerability scan or the penetration test penetration test being better is let you know if there are known issues. It does not fix those issues. That comes after the fact. So if you get a penetration test done, it uncovers two, three, four, 10 things. there would be additional costs or you can have your IT company take care of fixing those uh issues and then again run a follow-up scan after you know to ensure that yes indeed those things have been handled. That's typically why we'd like to do like bianual uh penetration tests, right? We run the first one, find out what's going on, work with you if need be to shut down certain things. We might have to work with your copier companies, your phone company, those kinds of things to mitigate some things. So, it takes some time. And then that six months later, we run another scan. We verify all that stuff has been resolved and see if any new vulnerabilities that can be compromised now exist on the system and basically wash and repeat. It's just a way to trust but verify that all your security is in place that you need so that should something happen you're prepared right you can show proof you did anything that a reasonable person could be asked to do you had thirdparty independent scans being done and you've mitigated those issues. So, I know that's a lot, but again, as the old saying goes, trust but verify. How do you know that you haven't been breached? How do you know that you are truly protected? By getting a penetration test on your network. As always, if you have any questions concerning penetration tests, vulnerability scans, cyber uh insurance, please reach out to me. Give us a call here at the office 760-770-5200. [Music]