Vulnerability Scanning Vs. Penetration Testing

6 December, 2016

Vulnerability scanning and penetration testing (or pen testing) are often used interchangeably in the field of IT security. Though these security tools are co-related, there are some key differences in the purpose for which each of them is carried out. Having a clear understanding is essential for the IT professionals to utilize the available resources judiciously.

Given below is a detailed description of vulnerability scanning and penetration testing:

Vulnerability Scanning

Vulnerability scanning refers to an in-depth and automated scan of the computer systems to identify any potential security flaws. It allows the organizations to evaluate the level of IT security protocols, detect weaknesses and differentiate the ones that can be exploited by the cybercriminals. The scan also involves providing a detailed report stating the steps required to either mitigate or diminish the security threats.

A vulnerability scanning process mainly involves the following steps:

  • Creating a list of the valued assets and resources in a computer system
  • Determining the importance and confidentiality of all the resources
  • Identifying the vulnerabilities, where they are located and categorize them according to their risk of being exploited
  • Eliminating the potential vulnerabilities for the most important files and data

Penetration Testing

Penetration testing involves simulating a cyber-attack to penetrate the corporate network and gain access to the sensitive data. Its main purpose is to determine if any malicious activity is possible and the way it can be carried out by the hackers. The IT security experts conduct a complete scan of the corporate network and attempt to exploit any of the identified vulnerabilities. Subsequently, a detailed report is provided stating what resources were accessed without permission, vulnerabilities that were exploited and how they can be fixed.

Essentially, penetration testing can be of two types, white box and black box. The former one involves the use of pre-disclosed information about the target company’s resources and network vulnerabilities. Black box testing, on the other hand, is performed with little or no knowledge of the security flaws in the target systems.

Though vulnerability scanning and penetration testing serve different objectives, both of them should be performed to improve an organizations’ overall IT security. Vulnerability scan should be carried out monthly and may take less than an hour to be completed. Penetration tests are recommended to be performed annually and may take a few weeks, depending upon its scope.

For more information on the importance of vulnerability scanning and penetration testing for your organization, feel free to contact Centex Technologies at (855) 375 – 9654.

, ,

The Most Common Mistakes People Make Online

29 November, 2016

A lot of people spend hours on the internet every day. Right from sending emails, playing games and shopping to social networking and many other tasks, internet has become the lifeblood of people of all age groups. However, despite the extensive upsurge in internet usage, users tend to make a lot of mistakes which can ultimately sabotage their web browsing experience. This may either show up by slowing down the internet or infecting the computer system with a malware.

Given below are some of the most common mistakes people make online:

Browsing On Public Wi-Fi

Though browsing on free public internet hotspots seems convenient, security is a major issue that comes along. These networks do not use encryption and any information shared or received over it can be illegitimately stolen by the hackers. Therefore, online banking accounts, shopping websites, official emails etc. should never be accessed on public Wi-Fi networks.

Delaying Browser Updates

When it comes to online security, hackers are not just confined to phishing techniques and malicious websites. You can be a potential victim of online attack if you have not updated your internet browser or other applications to the latest version. Though Google Chrome manages automatic updates at the backend, other browsers may prompt you to download and install the patch. Make sure you do not delay these updates as they help to enhance browsing experience and fix any bugs present in the previous version.

Oversharing On Social Media

Sharing too much of personal information on social networking websites is also a common mistake made by most people. Your email, home address, phone number, social security number, vacation plans, current location etc. may be used by the hackers for social engineering purposes. This information may also be used to gain access to your other online accounts.

Ignoring SSL Certificate Warnings

While browsing the internet, many times a dialogue box pops-up stating ‘Your connection is not private’. Unfortunately, less than half of the users follow this warning and continue visiting the website. With this, you are putting your sensitive information at risk of getting leaked out to the cybercriminals.  Websites that use an SSL certificate encrypt all the information so that it cannot be decoded by anyone except the specified receiver.

Centex Technologies is a leading IT consulting firm providing comprehensive solutions to the businesses in Central Texas. For more information and tips on online security, you can call us at (855) 375 – 9654.

,

Debunking Myths About SSL And HTTPS

21 November, 2016

HTTPS (Hyper Text Transfer Protocol Secure) and SSL (Secure Sockets Layer) certificates have provided an effective means to keep your information secure over the internet. However, many enterprises still rely on the public cloud and other unsecure web applications. This is mainly because of the common misconceptions related to the management, cost, usability and benefits of these network security protocols. It is important to debunk the myths about SSL certificates and HTTPS protocols so that organizations can secure their online resources.

MYTH: SSL Certificates Are Expensive
FACT: This is one of the major reasons why most entrepreneurs avoid getting SSL certificate for their website. However, if you research thoroughly, there are many low cost SSL certificate providers on the internet. You should consider your requirements in terms of features and mobile compatibility to get the right SSL certificate.

MYTH: HTTPS Slows Down A Website
FACT: HTTPS does not have any visible impact on the load time of the website. Though the connection with the server may take some time due to the data encryption process, it can be resolved by upgrading the processor.

MYTH: HTTPS Is Required Only For The Login Pages
FACT: Another common myth is that HTTPS is required for the website’s login or home page only. In actual fact, if you do not secure other pages of your website, you are actually increasing the likelihood of session hijacking, particularly if the users are connected to an open Wi-Fi network. Any information shared by the users can be easily viewed, accessed and manipulated by the hackers.

MYTH: HTTPS Websites Involve No Content Caching
FACT: Many people claim that websites using HTTPS cannot be cached by the web browsers. However, if you use response headers, you can prompt the browser to cache the content in your website. The response headers to be used may differ for each web browser.

MYTH: SSL Will Not Affect Your Website’s SEO
FACT: In an attempt to improve online security, Google officially announced that websites using HTTPS will be ranked high in results pages. This has encouraged most webmasters to switch from HTTP to HTTPS to avoid having a negative impact on their website’s ranking. Also, users are more likely to visit websites that are encrypted, particularly if they are required to their sensitive information such as username, password, credit card details etc.

For more information about the importance of SSL and HTTPS for websites, feel free to contact Centex Technologies at (855) 375 – 9654.

, ,

What Are Whaling Attacks And How To Prevent Them?

14 November, 2016

A whaling attack can be defined as a targeted type of phishing attempt to extract important information from high profile users, most commonly the corporate executives, celebrities and political leaders. Just like phishing emails, these attacks involve sending fake emails that claim to be from a legitimate source. The difference is that the content of a whaling email is written in a more professional manner and generally framed in the form of a legal notice, company issue or customer complaint.

Give below are some of the key attributes of a whaling attack:

  • Involves extensive research about the target: The success of a whaling attack largely depends upon gaining the trust of the target user. If the recipient has any doubt about the authenticity of the email, he would not take the desired action. To avoid this, hackers carry out an extensive research to gather maximum information about the target victim. They browse through his social media profiles, company information and other online sources so that a legitimate email can be crafted.
  • Uses A Compromised Account Or Fake Domain: The hackers generally attempt to compromise one of company’s higher level executive’s email account. They may also create a fake domain name that looks similar to the official website of the company. This reduces the chances that the email will be perceived as suspicious.
  • No Use Of Links And Attachments: Unlike phishing attacks, whaling emails do not have any attachments or embedded links. This ensures that the email easily passes through the spam ad phishing filters. Also, the users do not hesitate opening the email perceiving it to be malware laden.

Tips To Prevent Whaling Attacks

  • The senior management, high level employees and financial teams should be educated about the whaling techniques and how to identify spoofed emails. They should also be updated with the common characteristics of a whaling email, such as fake sender names, hoaxed URLs, wire transfer requests etc.
  • Utilize an email filtering system. Whaling emails are sent to look like they have come from someone within the organization. Demarcating emails that are not sent from the company’s corporate network is a good way to identify whaling attacks.
  • Establish a face to face or phone verification process for emails that require money transfer.

We, at Centex Technologies, can help to improve your company’s IT security. For more information, you can call us at (855) 375 – 9654.

,

Hybrid Cloud Security: Key Considerations

5 November, 2016

Businesses looking to switch to cloud technology often find hybrid cloud as one of the most flexible and efficient options. Incorporating the benefits of both public and private cloud, it allows a smooth combination of the in-house IT resources with the public deployment model. However, just like the other two cloud computing technologies, hybrid cloud also has its own share of security risks. It is important to overcome these challenges to ensure a successful implementation of the technology,

Here are some of the key security risks to be considered while choosing hybrid cloud for your organization:

IT Security Skills

Business owners need to hire a dedicated IT security staff with specialized skills in handling hybrid cloud resources. They must be able to use proper configuration management tools to minimize the likelihood of any error. Knowledge of all the cross-platform tools required to control the hybrid cloud is also important. Concise cloud management policies should be implemented to define access controls for sensitive data, configuration and installation guidelines, reporting etc.

Poorly Defined SLAs

With so many hybrid cloud service providers available today, understanding the service level agreements (SLAs) has become critical. Access permissions and data security measures must be clearly specified in the SLA. Get information on the availability and performance of your cloud model during maximum load times. The SLA should also state the services for which you can use the public cloud and up to what limits.

Accountability

Both the organization and service provider are accountable for maintaining a secure hybrid cloud environment. The vendor is basically responsible to ensure system integrity, access controls, data encryption, virtualization and network security. Consumers, on the other hand, need to implement stringent policies to secure their in-house resources.

Poor Data Redundancy

The lack of proper data redundancy can also be a major security threat in hybrid cloud. It is imperative to maintain redundant copies of the important files in both public and private data centers. With this, you can minimize downtime in case there is an outage in any of them.
Implementing a hybrid cloud strategy involves a complete redressal of both technical and security issues to reap the maximum benefits out of this technology.

For more information on hybrid cloud and how it can be used to streamline your business operations, feel free to contact Centex Technologies. We can be reached at (855) 375 – 9654.

,