Cyber Security
The power of penetration testing in boosting cyber resilience
By Dave Jarvis National Practice Lead, UXC Saltbush
It seems that every week there is another zero day exploit doing the rounds. Software patching and updates are becoming increasingly frequent, and the rise of mobility is further weakening the business world’s cyber attack surface. Traditional defences can no longer provide the protection needed. Organisations need to become resilient to adapt to these new and emerging threats. Cyber security resilience involves more than just the prevention or response to a specific attack. It also takes into account the ability to operate during, and to adapt or recover, from such an event. This goal requires cyber risk management, and not one, but many cyber security measures. Traditionally, companies have focused on protection against specific cyber attacks. In today’s digital environment, however, a resilience-based approach to threats is more effective for organisations wanting to adapt to change, reduce exposure to risk, and learn from incidents when they occur. Due to the growing interconnectedness that comes with new and emerging business technology, improving the resilience of one organisation can be a small step in improving the cyber resilience of all. The same goes for the disparate departments and operations within a single business. Once a unified, company-wide approach to security is established, there will be fewer points of vulnerability to exploit. According to CERT Australia, the government’s national computer emergency response team, modern organisations must layer security defences for their IT systems to reduce the chance of a successful cyber attack.* * Australian Cyber Crime & Security Survey Report, CERT, 2013.
16 | Australian Security Magazine
While the installation of traditional security software, including a firewall, anti-virus, and anti-spyware remains an essential first step to cyber security, these safeguards alone are no longer enough to adequately protect an organisation from potential threats. Instead, businesses should manage risk with multiple defensive strategies, so that if one layer of defence turns out to be inadequate, another layer can step in to help prevent a full breach. This is known as ‘defence-in-depth’. The multiple defence mechanisms layered across an organisation’s network infrastructure can protect data, networks, and users. A well-designed and implemented defence-in-depth strategy can help system administrators identify internal and external attacks on a computer system or network. Building organisational resilience to cyber security incidents also requires constant awareness and action. For an organisation to be prepared before an incident occurs, cyber security needs to be part of its risk management, resilience structures, and planning, and staff need to be trained to use good cyber security practices as part of their daily work. Steps on the path cyber resilience There are many ways to protect an organisation’s networks and confidential data at multiple levels. For starters, businesses should make sure they keep their software patches up-to-date and use versions of software that are still supported by such updates. This should include all operating systems and applications, as well as email, database, and