"If you deny reality, you cannot control reality" -Rory Miler
In my previous post, we discussed the similarities between reality based self-defense and ethical hacking. Without getting too technical about semantics, I'll use the widely known term 'martial arts' moving forward.
In martial arts, sparring provides practitioners with a real-life simulation of combat situations under controlled circumstances. It's a tool to understand and develop the practitioners' technical, strategical, psychological, and physical abilities during various levels of stressful situations. Without sparring, it's impossible to understand your weaknesses, especially during high-stress situations. Just like car manufacturing companies crash test their cars before making them available to the public. We need to apply the same approach when it comes to our digital security. I always encourage my students to start sparring as early as possible in their martial arts careers. Why? Because I would rather have them fail in the dojo (a practice hall where martial arts are taught), than in a real-world violent situation. The same thought process applies to cybersecurity. Wouldn't you rather find your weaknesses, misconfigurations, or vulnerabilities in your dojo; where we as digital guardians can help you mitigate before real adversaries can take advantage of them?
Shifting focus over to security testing and specifically penetration testing. A penetration test involves simulating actual attacks by our offensive security engineers, who will attempt to breach security measures to identify those misconfigurations and vulnerabilities. This serves as a form of pressure testing, allowing your organization to determine the effectiveness of your security measures in real-world scenarios. Just as a martial artist becomes more resilient and adaptable through sparring, organizations undergoing penetration testing can build resilience to potential threats by identifying those weaknesses and developing targeted countermeasures. By exposing systems to simulated attacks, your organization will gain valuable insights into both your strengths, and areas that require improvement.
Just like sparring has different flavors, so does security testing. There's a variety of methods that can be deployed in a security testing engagement, ranging from white-box penetration testing, red team engagements, to external attack surface scanning, social engineering, and phishing simulations. The selection depends on your organization's current security posture and maturity, as well as your security vision and ambition. Additionally, threat modeling is another technique utilized in both subjects. The adversarial model differs immensely between myself, a soon-to-be middle aged martial artist, and let's say a twenty year old female. The types of potential threats and 'bad guys' that the young female needs to be aware of, are most likely not the same type of adversaries that I need to be vigilant for. Again, we can apply the same though process for your organisation. Do you know what types of potential adversaries that will target your organisation, and why?
In conclusion, security testing is vital to truly understand your security posture. Not every organisation needs a full-fledged red teaming exercise or a full-scaled threat actor simulation. However, every organization needs to have a realistic understanding of their security posture. Regardless of the defenses and countermeasures deployed, they need to be stress-tested by experienced and competent digital defenders.
Onevinn’s Offensive Security Team provides a wide range of security testing services including everything mentioned above. Let us stress-stress your security, so you can sleep easier at night.
For more information about our Offensive Security Testing services, go to https://www.onevinn.com/security-testing.
