A penetration test or "pen test" is a method used to test the security procedures, protocols, and response to an attack on the computer network. In a pen-test a security contractor attempts to break into a network using the same techniques that real attackers may use. This may involve checking for unpatched vulnerabilities, absence of anti-virus software, or even the actions of the employees themselves. It is the response of the employees to the Social Engineering based attacks that we are exploring in depth for this project.
When conducting such tests, it is critical that the organization and their security consultant be careful to cover themselves from legal action. As this white paper points out, the actions taken by the security company would otherwise be illegal in any other situation. Proper legal preparation is critical and should include worst-case scenarios (for example, a suspicious employee calls the police) and when on-site, the security company employees/contractors should have a method to have the upper management "rescue" them if something goes wrong.
The job status of any employee who "messes up" during such a test should be clearly laid out - in fact a company should be encouraged to treat employee failures as a positive sign - those are what helps improve the long term response to a real attack. Firing or otherwise punishing these employees would be a poor decision. In a real attack, the same employees who learned from their mistakes will be the first ones to recognize and respond appropriately to the real intruders. They become much more valuable to the organization.
No comments:
Post a Comment