Everything you need to know about offensive security by Yusuf Yeganeh

You may have heard a lot in the media and from your IT company about offensive security, and why you should be paying attention to it, and potentially finding a provider that can provide it! As with everything linked to IT these days, it’s sometimes difficult to know what’s hype and what is a genuine requirement for your business. 

In this article, we hope to clear up any misconceptions on the subject and explain in as few words as possible, what it is, why you might need it and how it’s going to benefit your business in the long run.

So, what is offensive security?

For as long as you have been using a computer, you have been aware of the term “hacker” and all the negative connotations that the term comes with. As with anything you want to keep secure, someone, somewhere, will always want to try to gain access to it, and so, over the years, it’s become more and more important to regularly test your metaphoric locks.

So, the term offensive security is quite simply the expression used to explain the process of trying to attack a system and gain access. You may have heard of the term Pen Testing, or Penetration Testing. For all intents and purposes, this term largely denotes what offensive security can be explained as. Offensive security is the title given to a variety of methods used to try to attack and gain access to an IT system for reasons of testing and proving vulnerabilities.

Why do you need it?

The simple fact is this, unless you try to shake your gates as hard as you can, you’re unlikely to know if someone else stands a chance at getting through! Your system is only secure until it’s compromised, and no system on earth is impenetrable, it’s only a matter of time. There is absolutely no substitute for testing the limits of your network.

A good IT provider will, of course, put in place a stack of security products, such as OpenDNS, Web Filtering, AV, Advanced Threat Protection, etc., but it’s not just a case of having these products in place and trusting that the rest of the work is done! True security is an art as much as it is a science; these technologies and products can fit together in a million different ways, and no one size fits all.

Therefore, you need an offensive security package, in one form or another, for your business, as a real-world test that can demonstrate that your whole security product stack fits well together and provides adequate defence against the latest network hacking methods.

Should you pay for it?

As the old phrase goes, in IT, it’s especially true, “you get what you pay for.” There are a host of online companies claiming to provide offensive security products that will try to hack your network and show you how to patch it up. However, exactly as explained above, there are so many products out there, the value is not just in the product but mainly in the hands of the engineer using them.

The fact of the matter is, you can easily buy a $100 pen test, which sends you a report, ticks a few boxes and away you go. But this is a far cry from paying a reputable company, who has spent years perfecting their craft, in order to provide you with a package based upon real world experiences.

Our advice is always, seek a referral, and look for qualifications. The best companies will try to understand your business first, they’ll be interested to know which parts of your operation might be the highest risk areas, and which data is of key importance. By them building up this picture first (rather than a fire and forget approach) you are far more likely to be working with professionals, who can not only try to ethically hack your network, but what’s more, work with you to stay on top of preventative measures, keeping you as far ahead of the real hackers as you can be.

How do I get it done?

There are a host of companies offering such services and many also reselling other companies’ services. Some good MSPs can offer this form of testing, some even include this in their monthly checks. But often, it’s an additional service for an additional cost. 

The first step would be to speak to your in-house IT team or IT Managed Service Provider and just ask for an explanation of how they stay on top of security and test for vulnerabilities. Offensive Security should always be used in conjunction with other measures. It’s pointless just trying to hack a network when you’re not sure you’ve even put up the shields.

When you’re confident that some form of system is in place to keep on top of security products, such as open port checking, AV signature updates, server updates, etc., speak to a provider that ideally has a qualification in the field, such as OSCP or CEH, which are the two most recognised.

How do I know if it works?

Unfortunately, it’s one of those things like marketing, you can’t be sure it works until you stop doing it, by which time it’s too late. Any IT company, however, who follows OSCP or CEH guidelines for their Offensive Security services have been tested far beyond any average hacker, so you can be safe in the knowledge that you’re taking every reasonable step to test your network is secure.

It’s highly unlikely that not a single vulnerability will come to light after such a test, and this should be evidence enough that the service is of value. The bottom line is, your network and IT is being attacked daily with 99% of the attacks bouncing off due to basic firewall policies. As these attacks become more advanced, your IT needs to follow suit. 

As the old software developer quote goes:

“Just because you’ve counted all the trees doesn’t mean you’ve seen the forest.”

Always keep testing, because the hackers sure are.

About the Author:

This article was written by Yusuf Yeganeh, Founder and Managing Director of Microbyte - 24/7 Managed IT Service Provider and supplier of Virtual IT Directors.