Despite the title of this article, its important to note that cyber security testing is a really good idea – this article exists simply to highlight that it’s not a complete solution.
For those that don’t know, one of the most robust tests of a company’s security is a full penetration test (AKA pen test).
Impersonation is one route for Pen Testing
This is generally an attempt to defeat or circumnavigate a company’s cyber security defences, usually as a paid activity by a ‘white hat’ (ethical) cyber security specialist (or team).
This team will do everything within their power to compromise the target, often with an additional financial bonus built in as a ‘bounty’ should they succeed (to ensure best efforts, not just box ticking).
White hat hackers will try everything from social engineering, bluffing their way in to premises, infrastructure attacks and more to get what they need.
Passing a penetration test is no mean feat and is obviously a huge boon to a company’s security standing but ultimately it has one flaw:
White hackers will only do what is legal and – generally – ethical, unfortunately cyber criminals are not bound by these constraints.
A network classed as ‘secure’ after a successful penetration test (or unsuccessful depending on your perspective) could be compromised the next day by a criminal breaking in to an employees house and stealing a laptop, installing a key logger on an employees home machine or perhaps tricking an employee in to giving up personal data via social networks and then extorting them for company passwords.
I feel like this cartoon pretty much sums it up:
Cartoon from xkcd.com
While I thoroughly agree penetration tests are an excellent idea, companies must be wary of resting on their laurels with a false sense of security.
Unlike traditional security, where the level and type of vigilance has changed little over the years, cyber security is directly linked to technology – an ever changing landscape – requiring ever changing precautions.
Companies need to ensure they are educating staff to protect both company data, their personal data and that of their families via training and education.
