How do you test a company’s cybersecurity?

Continuously testing a company’s cybersecurity is essential to ensuring business continuity and preventing a cyber-attack from causing significant damage

A few days ago, there was a cyberattack against Change Healthcare, a software used by most pharmacies and health systems in the United States to manage the payment of prescription drugs through health insurance. As a result, systems were taken offline to contain the attack, and outages were recorded for days, causing:

• There is paralysis of thousands of pharmacies and hospitals.
• The implementation of systems to process drugs offline.
• Delays of one week in the supply of prescribed drugs to patients.
• Patients who needed the drugs urgently had to pay for them out of pocket, incurring high costs in some cases.

This serious security incident, which affected UnitedHealth Group, the largest company in the U.S. healthcare sector and owner of the program, is evidence of how important it is to test a company’s cybersecurity to:

• Protect business continuity and ensure that business processes run smoothly.
• Avoid regulatory breaches that affect the protection of personal data, lead to heavy financial penalties, and damage a company’s reputation, depending on the level of impact.

In this article, we will explore what measures can be implemented to test a company’s cybersecurity. We will also dwell on the role of cybersecurity services, the possibility of automating tests, and why it is critical to train and raise awareness among all professionals in an organization to prevent attacks and respond to them effectively.

What basic measures should be implemented to protect business processes?

Before putting a company’s cybersecurity to the test, it is essential to implement a series of basic measures to design an efficient cybersecurity strategy:

•  At the technological level:
  • Authorization and law of least privilege.
  • Encryption of communications.
  • Logging of activities.
  • User password complexity and rotation policies.
  • SSO (Single-Sign-On).
  • Two-factor authentication.
• At the business level:
  • Follow an appropriate risk analysis methodology.
  • Identify the critical business assets and the intangibles to be protected.
  • Determine the Internet exposure to be able to manage the attack surface appropriately.

What actions can be taken to test a company’s cybersecurity?

Today, companies can turn to a variety of specialized cybersecurity services to test a company’s cybersecurity:

• Perimeter Asset Identification services and OSINT exercises to improve inventory control processes and company cyber exposure management.
• Advanced intrusion testing:
  • External to assess perimeter security, identifying holes or flaws that may allow intrusion into internal networks.
  • Internal to analyze the security of the internal infrastructure, identifying security holes or flaws that could allow a cybercriminal to take control of the leading corporate systems.
• Application security review to assess the security of web applications, mobile apps, APIs, and web services based on a recognized methodology, usually OWASP, for this type of asset. These tests are to be performed on both source code and runtime.
• Red Team will assess a company’s detection capabilities and resilience.
• Security evaluation of wireless networks (WiFi) and intrusion test to simulate possible cyber-attacks from this type of network.
• Controlled Denial of Service to analyze a company’s ability to contain this type of attack.
• Intrusion testing of cloud environments to evaluate the security of cloud infrastructures (Azure, Google Cloud Platform, AWS).
• Discovery of attack vectors in active directory (cloud and legacy) by setting up malware simulation exercises.
• Social engineering campaigns (phishing, vishing, smishing) to assess the technological defences against these attacks, the level of maturity of employees, and incident management support while also helping to raise their awareness.

How can a small business check its level of security?

43% of cyber-attacks target SMEs, taking advantage of their generally lower security levels than large companies. It is, therefore, crucial for small and medium-sized companies to be able to measure their security levels and increase their defensive capabilities. How?

1. By detecting and correcting vulnerabilities in their technological park both externally and internally, they could rely on vulnerability analysis and penetration testing services.
2. Visibility exercises from the employees’ perspective (internal network, WiFi access, VPN, etc.) are performed to check the robustness of the accesses and the privileges granted, which is essential nowadays with the migration to hybrid and remote work.
3. Checking whether employees’ mobiles and laptops are secure from a security bastion point of view and whether they have adequate protection.
4. Checking communications security with third parties and associated privileges that could pose a risk against the emergence of malware/worms.
5. Identifying and improving the level of resilience to attacks, for which Red Team exercises could be carried out.

Is it possible to test a company’s cybersecurity automatically?

Today, some tools can be used to run automatic scans and detect known vulnerabilities. They are effective in detecting these types of vulnerabilities. Still, it is necessary to complement their use with manual tests to perform a complete security review and identify security flaws that automatic tools do not recognize.

In addition, it is necessary to have cybersecurity experts review the results of the scans to:

• Determine whether or not the vulnerabilities discovered have adequate relevance.
• Filter out possible false positives or negatives.
• Provide intelligence by identifying possible quick wins and other indicators.
• Order and consistently prioritize vulnerabilities to facilitate subsequent remediation plans.

In recent years, other tools have also been developed that allow us to evaluate the security of application code statically and dynamically, helping us in the security improvement processes in the development lifecycle. These tools perform automatic tasks that speed up identification processes and allow us to associate analysis and compliance methodologies. However, they require subsequent management and analytics to optimize results. Additionally, these tools should be accompanied by learning processes in secure development and developer training.

Finally, an increasing number of tools allow specific attack simulation processes to be automated. They are, therefore, helpful in creating large-scale exercises when the maturity levels of threat mitigation and vulnerability remediation processes are high. However, it must be taken into account that they must be used by experts who know how to make the most of their capabilities and are familiar with them:

• The context of the technological infrastructures to be assessed.
• The priorities of the organization.
• The exercises that make sense to carry out at any given time in collaboration with other technical support areas, such as the Blue Team.

What role do people play in a company’s cybersecurity?

People, technology, and procedures must be sufficiently sized and optimized to carry out the security practice. People are key both in decision-making and in operating the available technology according to the established procedures.

In this sense, it is essential to establish a cybersecurity culture in an organization. It’s necessary to take into account all the processes linked to corporate identity, reviewing and managing them efficiently to avoid:

• The loss or theft of credentials.
• User impersonation.

What specific measures can be implemented to achieve this?

• Training and awareness-raising activities help professionals identify risks and ensure they are duly reported.
• Design protocols for sharing information on possible security incidents so they can be reported to the technical support managing them.

How to respond to an attack against a company?

Some attacks can put a company’s cybersecurity to the test every day. This is why, even if appropriate measures are in place to prevent attacks and mitigate vulnerabilities, it is critical to have effective incident response mechanisms in place:

• Detect and proactively respond to malicious activities on company assets, for which Threat Hunting services could be used.
• In the event of a security incident, providing a service capable of helping the company to return to normality. This could be done by contracting an Incident Response service.

In short, testing a company’s cybersecurity is a critical strategic activity to prevent a cyberattack from threatening business continuity, paralyzing the regular operation of a company and causing far-reaching economic, reputational and legal consequences.