10 Reasons You Need to Test, Not Guess
Charles Henderson, vice president, managed security testing, Trustwave
How you are securing your sensitive information should not be a guessing game. You should know what's working and what's not - and, most importantly, fix any weaknesses before an attacker discovers them. Databases, networks and applications make up your organization's security DNA. Effective security requires that businesses make fact-based decisions based on real-world data about their databases', networks' and applications' ability to withstand an attack. Security testing can help you make more informed security decisions.
You need to test, not guess, whether or not your infrastructure is secure to:
1. Identify problems before attackers do. Vulnerabilities in databases, networks and applications introduce security weaknesses that can increase your data breach risk. According to the recently released 2015 Trustwave Global Security Report, 98 percent of applications tested by Trustwave in 2014 had at least one security vulnerability. It's critical that you identify and remediate security weaknesses across your infrastructure continuously throughout the year; testing should not be a point-in-time, annual task on the “to do” list.
2. Build security into IT projects. According to the 2015 Trustwave Security Pressures Report, 77 percent of IT pros have been pressured to unveil IT projects that were not security ready. Oftentimes (and this may happen to you), in-house IT teams are focused on getting projects out the door by a specific deadline. They are not focused on security. As a result, security becomes an afterthought leaving your company at risk of a breach.
3. Prevent an internet of insecure things. Whether it's smart appliances in the home, ATMs, WiFi-connected home or business automation systems, ethical hackers have tested many internet of things devices that too often lacked basic security controls. Consumer and business products shouldn't hit the shelves without testing and remediating security vulnerabilities within them.
4. Gain perspective on your web apps. Designers of web applications face similar challenges as in-house IT teams – surmounting pressure to get applications out the door, on deadline. Once again, in those cases, security is overlooked leaving users of those apps open to an attack.
5. Mobile, safely. Also revealed in the 2015 Trustwave Global Security Report, 95 percent of mobile applications tested by Trustwave experts were vulnerable. As BYOD becomes more commonplace in the work environment, it's critical that mobile application developers and businesses continuously identify and fix security weaknesses within mobile devices.
6. Protect your databases: There's no question about what cyber-criminals are after, and that's data—sensitive, valuable, salable data. Configuration mistakes, identification and access control issues, missing patches or any toxic combination of settings can lead to escalation-of-privilege or denial-of-service attacks, data leakage or unauthorized modification of data.
7. Avoid getting lulled into a false sense of security. In spite of the string of high profile data breaches within the past couple of years, too many businesses still believe they will not fall victim to a breach. Industry analysts say in 2015, at least 60 percent of enterprises will discover a breach of sensitive data – a statistic that demonstrates there is no breach immunity.
8. Spot problem passwords. “Password1” is the most common business password, and, according to the 2015 Trustwave Global Security Report, 39 percent of passwords tested were only eight characters long. It takes only one day to crack an eight character password, while Trustwave estimates 591 days for a ten-character password.
9. Keep security from evaporating in the cloud. Among emerging technologies, 47 percent of IT pros were most pressured to use or deploy the cloud (source: 2015 Trustwave Security Pressures Report).
10. Avoid introduce new vulnerabilities when making a change. Infrastructure changes introduce new vulnerabilities. If you don't test and test often, you might be putting your business at risk.