Sage Advice - Cybersecurity Blog

While it seems that today’s cybercriminals have a myriad of tricks and techniques at the ready to gain access to your network, the reality is that they are typically taking advantage of common vulnerabilities – such as unpatched software or default passwords – time and time again. That’s why establishing a regular process for finding those vulnerabilities that put you at risk is a critical part of your cybersecurity program.

In the world of cybersecurity, nothing is static. The cyber threat environment is dynamic and evolving. There are new vulnerabilities discovered on a daily basis. Attacks are getting more sophisticated – they’re getting more complex and flying under the radar of traditional detection technologies.

While everyone may be tired of hearing, it’s not if you’ll be breached, but when, it’s the reality of our current environment. Breaches are exploding in scale and scope, and with the availability of malware-as-a-service, it’s no longer just individual lone hackers trying to get in. It’s a thriving business. One that’s incredibly organized and highly profitable.

As such, part of your cybersecurity defense strategy should include assessing the strength of your defenses against hackers. How? Using penetration testing, where a trained “white-hat” hacker tries to exploit your network much like the bad guys do.

Like most criminals, hackers are opportunistic. For the same reason a thief is more likely to steal a car that has the keys in it or break into a house with unlocked doors, a hacker is looking for an easy way in… the path of least resistance. If it’s difficult – or takes a long time – there is a good chance they’ll get frustrated and move on. After all, it’s typically just business to them. They want to make the most money as quickly and as easily as possible. Here are three things you can do at your organization to slow down an attacker, and hopefully get them to move along without a breach.    

Data breaches are a part of our world. Cybersecurity is not something that can be bolted on anymore, it needs to be considered as part of your overall business strategy. You must protect your business because you want to continue to do business. And that means readying yourself to detect, respond to, and recover from a cyber-attack.    

When I ask information security professionals what keeps them up at night, many times they say, “What I don’t know.” It’s no surprise – with reports of breaches on an almost daily basis, it’s impossible to ignore that there are a lot of hackers out there trying to get into networks wherever they can, with tools and techniques that are constantly evolving.  As such it’s important to be diligent about assessing your overall security from the perspective of a hacker.  And the best way to do this is through a penetration test. 

I cringe each time I hear the oft repeated declarations that “every company will be compromised” and that “it isn’t a matter of if, but when.” These statements are the basis of the FUD-driven (fear, uncertainty and doubt) cyber-sales machine. What is closer to the truth is that Internet connected systems have a high probability of being subject to a targeted or opportunistic attack, inadvertent exposure, or malicious subversion. However, it is (and I stress) not inevitable that the attacker will be successful. Motivation, work factor, evasion capabilities, resiliency, and sometimes, luck all play a part. Threat modeling can be used to understand these factors and influence the outcome.