Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How are you doing today? Mark here with another Mornings with Mark looking at cyber security basics. And today we're going to look at two different concepts that are somewhat related. We're going to talk about risk assessments and penetration testing. Now, the reason why I wanted to pair these two together is because one normally leads to the other and they're somewhat linked because a risk assessment is very much just a formalized process where you're going through the notes of a system of some sort of service you're deploying and looking at any potential risks.
Now, you'll remember early in this basic series, we tackled vulnerability, exploit threat and risk and a risk assessment is essentially a formalization of all of the different ways where there are vulnerabilities and there is potential exploitation, threats and therefore risk and it's a summation document.
So what you do is you look, you say, ok, if we have this system that takes online orders, what are the risks here? What is the overall risk assessment of this system? Well, because we have this piece and this piece and this piece and they have these vulnerabilities and we've been able to mitigate them in this way.
Really, you get this formalized bubble up of saying our overall risk is maybe low and here is the individual breakdowns of each aspect of that risk. Now, there's a huge amount of ways of approaching these types of risk assessments. Pretty much every jurisdiction, every industry, every regulatory sort of body has their own way of evaluating risk.
But essentially from cyber security perspective, a risk assessment is a formalized view and report on the state of risk in any sort of solution or service. Now, a risk assessment is only as good as how accurate and sort of how in depth it is and how often it's done on a one time thing, they need to be continuously updated.
Changes are made to the system and that's where a lot of people fall down as they tend to do risk assessments once a year, but you're making changes once a week. So best risk assessment is 51 weeks out of date, but they need to be a continuous thing.
And I think people put way too much effort into formalizing them. When really at the end of the day, if you had to put a risk assessment in plain language, it's what do I need to worry about involved with respect to this technology.
It's really that simple and why that's linked to a penetration test is because a penetration test is an attempt to see an attacker or an external body's view of this system. So a penetration in a test is a formalized test where you have gone out to ideally a third party and put them under contract and said, we want you to attack our system and see what you find as vulnerabilities as exposures.
What so that we can look at the risks right now. There's a lot in that. But essentially, let's say I have a system where I am running that ordering system, right? I'm taking orders for, let's say books and what I would do is contract with a penetration tester or a company that does this as a service.
And I would give them some parameters, hopefully very, very few. And I'll circle back to that in a second and they would try to attack my system. So they would try to plant false orders in the system. They would try to take it down and all with the goal of finding out where it's weak where there are issues.
And the idea here is that if you pay somebody to have this done, if you do this ahead of time, you'll know how Attackers could attack your system and you'll be able to fix it. So while a risk assessment, lot of the time is more theoretical where they're doing interviews with people who are involved, they're looking at known vulnerabilities with the technology components and they're compiling that up into their document and saying based on what we know about the design and implementation of this system.
Here are the risks. A penetration test is literally somebody banging on the door, poking holes in things trying to figure out if they can get into a system. So it gets messy and very much so, but it's better to have somebody on your side do it before a cyber criminal does it for you.
Then of course, you get a report, ideally, some recommendations on what you can do about each of these vulnerabilities that penetration testers found. Now the challenge with pest is that it's a really uncomfortable thing to do to allow somebody to attack your system.
It takes a lot of sort of, you know, fortitude to go. Ok. Yeah, you can do it because of that. What we see quite often. And this is a fundamental mistake and problem with penetration testing is that people put very severe boundaries around that system.
They will say or not that system, but that process, they will say you penetration tester can only attack between Saturday between these hours. And the reason being is because not many users are on the system and it won't have an impact on the business, which totally makes sense.
But then they also say, ok, well, we're going to put more people on staff to respond to any incidents. We're going to have our best foot forward. That's not the idea of a P test because the pen test looks at your process response as well because as they're starting to poke holes in your system, do you see it?
Do you respond? How do you recover if you put boundaries around that, you're not getting an accurate result, you're getting the ideal result. So within this parameter here is these little tiny issues. As opposed to, here's all the real problems with a P test.
Now, normally the rules around P test should be, you know, you can't commit a physical crime, like you can't beat up an employee or try to bribe an employee, but you should give them pretty big leeway. And that means they could call support to try to trick them into giving them access to account, they could try to physically get into the building and this kind of stuff, the complete extremes.
But the value of that pen test is that you're getting somebody to do a real world attempt at breaking into your system. The difference is, is that they're working for you and not as cyber criminals. Then that gives you a much better idea of risk as opposed to a risk assessment, which is basically a paper exercise and there's value there don't get me wrong.
There's value in risk assessments. I did them for years. The challenge of the risk assessment is that a lot of time people try to put a number to it and say, you know, oh you have five out of 10 risk or they try to say medium low or high or stop lights, things like that.
And it's all just a guess the numbers don't actually mean anything. A penetration test is far more on the ground. They can be expensive that makes it really difficult to continuously do them, even though there's quite a bit of value in having them done.
So that's a high level view of penetration testing and risk assessments. There's ton more on those topics and I'm sure we'll probably have a V two of this in the basic series, but that's the high level risk assessment theoretical. Here's the exposures.
What do you need to worry about penetration test? Somebody actually banging on the door trying to get into your system but they work for you. So it's a benefit. What do you think? Let me know, hit me up online as always at marknca in the comments down below those of you on the blog and as always for our podcast listeners as well as anybody else.
You can shoot me an email at me@markn.ca. How do you handle risk assessments? Do you do risk assessments? Do you go formal? Do you go informal? What about penetration testing? Do you do? What I think most people do is really box that in so that they don't have free rein.
Let me know. I hope you are set up for a fantastic day. I will talk to you online and I will see you on the show tomorrow.
