Thou Shalt Test Yourself

Thou Shalt Test Yourself

The 10 Commandments of IT Security

IT Security Commandment #8: Thou Shalt Test Yourself

There is a famous Peter Drucker quote that is used frequently in business circles: “That which gets measured, gets managed.”

Drucker would appreciate our 8th Commandment of IT Security because this commandment is about testing yourself and testing your organization regularly to better understand your current IT security posture and identify potential weaknesses or vulnerabilities. Thou shalt test yourself, lest you open your network up to potential exploitation.

Ongoing IT Security Testing Protocols Are Highly Recommended

Here are several recommended ongoing IT security testing protocols we highly recommend:

Vulnerability Scans. This is the process of finding, reviewing and recording/reporting on any potential security vulnerabilities that may be in place. These typically are conducted both inside and outside a network. Vulnerability scans review firewalls, applications, and network devices of all sorts, comparing what is found against a list of known gaps or weaknesses. So, for example, a firewall may be in place, but its security features may be disabled for some reason. Once things like this are identified, then preventative action is taken.

Penetration Testing. This is a step beyond vulnerability scans. This test is more “real world” in that the testing organization poses as an attacker initiating an active threat while attempting to gain access to a network. This is a highly beneficial measurement tool because it provides an organization with ways to identify, mitigate, and respond to cyberattacks. There are three types/levels of penetration testing: Black Box where the tester has zero knowledge of the tested organization, Grey Box where the tester has partial knowledge, and finally White Box where the tester has complete knowledge. In many organizations, this type of testing is required annually. Each type can test everything from a social engineering threat to a brute force network attack.

Disaster Recovery Testing. This is an important element in an organization’s Business Continuity Plan. At its core, it is about doing consistent testing of key parts of the continuity plan and, at times, actually role playing a real disaster (natural or breach) and challenging whether the plan’s tactical details make sense and actually work.

Our recommendation is to keep all the commandments of IT Security including this one: Thou Shalt Test Yourself. Managing and Testing your IT security protocols and postures drastically reduces the potential devastation that can occur from a real disaster. Reach out to us here at IT Radix and we can help.