Defining the scope of a penetration test is a delicate step. What will be the target of the pentest? More precisely, which functional and technical aspects should be tested in priority? Moreover, how deep and how often should a pentest be recommended?
Digital has become central for the health sector. It applies to all activities, from patient admissions to prescription management to monitoring the physical environment. In this context, cybersecurity risks have also become widespread. Conducting a security audit enables to concretely assess risks for each institution or company of the health sector.
Here is an overview of the cybersecurity challenges that we frequently encounter and that can be points of attention during a pentest. While data protection is a major issue, other risks related to hardware and IT infrastructure are also recurring points of concern.
Fintech companies are generally more exposed to risks and more mature than the average in terms of cybersecurity. The nature of their activities implies the need to take into account the risks of fraud and cyberattacks right from the design of a new product.
The pentest then confronts the security choices and protections in place with the real threat. Depending on the nature of the product (payment solution, credit platform, banking management, private equity, etc.), the business stakes will be different. However, here are a few details on the main risks and the most frequent pentest priorities according to our experience with fintech companies.
Doing a pentest might be in your objectives… but it’s not the right time for now. This can be for various reasons: developments are in progress, or a migration is planned, or you don’t have a budget yet…
Considering the different priorities that must be respected, when is a good moment to do a penetration test?
We are going to see together different situations in which the question arises and we’ll give you the keys to choose if it is the right moment to run a pen test.
Currently, since March 2018, SSL/TLS certificates (more commonly called HTTPS certificate) can have a maximum lifetime of 825 days.
But in March 2020, Apple announced that they only will allow SSL/TLS certificates on Safari that have a maximum validity of 398 days (13 months). And Google will follow this path (announced by the chair emeritus of CA/B Forum on Twitter in June 2020).
In July, Mozilla has confirmed it will reduce certificate lifespans too.
There are several types of IT security audits: organizational audits, technical audits and penetration testing.
All these variants are complementary and enable to analyze optimally an organization’s level of security. In this article, we will voluntarily leave aside the organizational audits in order to focus on the technical aspects of security audits.
Cybersecurity Issues for Businesses in 2020
The current trend is to strengthen the security requirements for customers, partners and investors. Security audits have been democratised to small and medium-sized companies, for whom they represent a prerequisite to be able to collaborate on IT issues with large companies. In fact, large accounts almost systematically integrate requests for security audit reports into their purchasing processes. The introduction of the GDPR 2 years ago also enabled companies to become aware of data security issues in business sectors where risk awareness was previously low. Security certifications (ISO 27001, HDS, PCI-DSS, SOC2, etc.) are increasingly popular among small and medium-sized companies, as a way of differentiating themselves and making security a quality issue.
Conducting a security audit has a cost. When companies are asked about the budget they devoted it, we often hear “between €10k and €20k”, sometimes a little more, sometimes a little less. However, there isn’t really a standard price for this type of service: it all depends on what is done, how, and by whom. If the main objective is to be able to show that a pentest has been done less than 6 months ago, it is possible to make concessions to respect an extremely limited budget.
Abraham Lincoln (repeating a woodsman) would have answered the question: what would you do if you had just six hours to chop down a tree? I would spend the first four hours sharpening my axe.
What does it tell us? That preparation is key.
You cannot protect what you don’t know, therefore knowing your attack surface is the first essential step to protect it efficiently.
Once you have decided to go for a pentest, you may wonder if it should target your production environment.
Depending on the risks, it can be appropriate to pentest either a production environment or a test environment. Below is a summary of the pros and cons for each alternative.