Most people are unaware that there are two methodologies to securing information. Traditionally, companies have relied on defensive security methods such as firewalls, ant-virus and system patching.
In today’s connected world this strategy now longer provides the protection that business needs to combat the ever increasing cyber security threat. The term ‘offensive security’ was coined by Matt Aharoni of Offensive Security and is based on the premise that to be secure that networks and systems defensive measures must be tested on a regular basis.
Offensive security testing takes an attacker’s point of view with regard to the system and or network under test and is conducted within a legal contract framework.
This type of security testing is not often undertaken as it is an intangible benefit and is seen as a cost to business rather than a means to reduce risk and prevent reputational damage. Consider the following analogy of a fire alarm system, we have our file alarm system installed by a qualified fire alarm technician and on a regular basis a different technician comes to check the fire alarm sensors to confirm that they are working correctly, In the IT world, it is common for the IT department or service provider to configure systems to meet deadlines with defensive security, this leaves a security loophole that can be possibly exploited.
Additionally, defensive security does not take account of human factors such as poor passwords, password reuse and insecure configurations to name a few. Here is a question to ask your IT department, “How many databases are we running within our business?”
If you get a slightly puzzled look or I will get back to you later response from your IT department then you should consider reviewing your IT security strategy as databases often hold vital information important to business. The average time for a database security patch can be between 9 months to two years leaving a large window of exposure.