You Don’t Need a Penetration Test
I have been on a few webinars and have seen a few discussions around pen testing lately, and so everyone knows what side I am on, automated pen tests aren’t pen tests. That said, most people I work with don’t need one (except those in compliance-based industries). Even then, if they weren’t required too – I probably wouldn’t recommend it…Until
Until what? Until your house is clean, you know what devices exist in your environment, what software lives where and who has access to what. This is not new or revolutionary work, this is just work. Hard, boring, slow, remedial work. So why am I posting this? Mainly to push my anti-sales agenda, do not buy the next-gen, AI-powered dark web scanning penetration test, UNTIL you fix your environment. Now I am not going to tell you all of this and not tell you what to look at.
I will put one last disclaimer, the advice that you don’t need a pen test is for companies that aren’t bound by compliance regulations, and it is not to say they are not valuable, but you should make sure that your environment is in decent shape before you pay tens of thousands of dollars to discover information that could be provided by your internal IT team.
- Enable auditing: this will help security teams track and monitor activity on the network, this will also help with correlation in the event of a breach.
- Restrict access to sensitive files and folder by group policy and security groups; Finance doesn’t need to see folders in marketing, HR doesn’t need access to shipping and receiving documents, use common sense.
- Enforce strong passwords via GPO/Azure controls – this should be self-explanatory.
- Disabling unnecessary services: Certain services, such as Remote Desktop or the Telnet service, can be disabled if they are not needed in order to reduce the attack surface of the network.
- Enabling encryption: Group policies can be used to enable encryption of sensitive data, such as files and email messages, to protect against data breaches.
- Enable multi-factor authentication: multi-factor authentication (MFA) adds an additional layer of security by requiring users to provide a second form of authentication, such as a code sent to a mobile device or a fingerprint scan.
- Regularly review and monitor AD events: Regularly review security event logs, such as the Security event log, to identify potential security breaches or suspicious activity.
- Use a least privilege model: Use a least privilege model for AD, which grants users only the access they need to perform their job duties, and no more.
- Use a separate admin account: Use a separate admin account for AD management and avoid using the administrator account for daily usage.
- Use a backup and disaster recovery plan: Regularly backup AD and create a disaster recovery plan in case of a system failure or data loss. Know where your backup data lives, how long it takes to recover, what your redundancy and resiliency is.
- Monitor and control network access: Use firewalls, VPNs, and other network security measures to monitor and control access to the network and AD.
- Limit physical access: Limit physical access to AD servers to prevent unauthorized access or tampering.
- Have an inventory of devices, you can’t secure what you don’t know exists.
- Have an inventory of software, you won’t know if you have vulnerabilities in your environment if you are unaware of what applications are running.
These may seem like simple suggestions, and if you can answer all of these questions positively, then maybe you should investigate vulnerability scanning or a pen test, but if you can’t – you should start investigating for answers. Don’t hesitate to contact us with any and all questions about your cybersecurity needs.
Subscribe to our Newsletter