Why pentesting is important to your Business?
In today’s world, it is almost impossible to imagine a business without some type of connection to the Internet — a website, email, employee training, CRM (Customer-relationship management), CMS (Content management system), etc. It simplifies and speeds up the ordering process, search for new clients, records search and keeping, and such.
Some businesses use ready-made solutions, others hire professionals to create company-specific tools, and some choose to develop software needed to solve their daily tasks on their own. With time, everyone has their own website, e-mail, their first clients get entered into a database and managers are able to track company daily activities. Unfortunately, an overwhelming majority of businesses completely ignore the fact that every server, every website, every email address is a potential target for hackers. The most frequent excuse used is: our business is too small, who could possibly be interested in our data? Is it really so?
No. This kind of thinking is one of many mistakes that make the modern Internet more and more vulnerable. Modern “digital” criminals do not put too much thinking into whom they attack. They do not care if you have your own online store, video blog about kittens or hockey fans’ forum in the suburbs of South Florida.
Second popular excuse that many businesses use for ignoring their web vulnerability is: web security is too expensive! Also an incorrect statement. The cost of pentesting starts from $99 on our company.
To show how vulnerable Internet presence is, we had installed a “honeypot” (a tracker that analyzes and tracks hacker activities) on our server on a newly created subdomain. Within 5 days, we recorded over 40 thousands scans from more than 30 countries. Approximately one third of all those scans were attempting infiltration. Let me remind you that the address we used was newly created and has never been published!
Let’s take a look at examples of how hacker attack can happen and what impact it may have on your business. We will also touch on what actions you should take to prevent the attack or at least minimize your exposure, including legal consequences (yes, hackers attack can lead to legal issues for you and your business).
Company A has created a “business card” website containing information about the company and a feedback form. They developed this site on their own, without the involvement of web designers. As a result, a data validation error was made: the site sent a confirmation to the entered e-mail address with the following message “Mr. / Mrs. X, thank you for your message ‘here was the quoted text’”. Hackers were using the same form of messages to send out links to sites with malicious content, utilizing addresses from the spam list as senders. The domain was blocked as a spam mailer and it took several days to unlock and exclude the domain from the spam lists of large mail servers.
The problem was identified by our experts using automated testing for $99 which included detailed troubleshooting.
Company B ordered a website from a professional web designer team, rented a server from an ISP and installed it. A licensed software was installed to transfer the data. Later, a complaint was made about an inconsistent scan that was being carried out from this company’s server IP address. Company B’s website was immediately blocked. After pentesting, it was discovered that the ISP failed to change the standard user name and password (admin / admin). Attackers were able to easily infiltrate the server and use Company B’s software for illegal activities.
After the server was stripped and reset, the provider allowed further use of the website. The cost was $349.
Company C has developed an ordering system for customers to upload data. While creating an access point, a technical error was made which allowed hackers to steal all the data from all their clients using a SQL-injection. As a result, Company С was put out of business for a week, financial losses amounted to tens of thousands of dollars. The aforementioned technical error was discovered by our company. Cost to pentest was $2,500.
These are just a few examples. There are dozens, if not hundreds, of attack options. As you can see from these examples, it would have cost these companies a lot less to prevent a hacker attack than to deal with consequences of being hacked.
Ask the experts what to do to avoid unpleasant situations. And remember that, unfortunately, invulnerable systems do not exist.