Ransomware Is Getting Worse. Here’s Why You Need Pen Testing.

Why You Need Pen Testing

Ransomware just became all too real for the whole East Coast. And it’s about to get worse.

The fuel giant, Colonial Pipeline, was hacked on Friday by ransomware cybercriminals, and it’s impacting everyone on the East Coast. From rising fuel prices and lines at the pump to the specter of a widespread gas shortage and inflation, the United States is in a serious bind. Why? Ransomware.

Sophisticated Russian hackers calling themselves the DarkSide made off with almost 100 gigabytes of data, declared the data hostage and threatened to leak it onto the internet. The ransomware incident underscores the risk that ransomware can post to not only critical national infrastructure but also to every business and government agency out there. (And, it may impact you too, since you may not be able to buy gas this weekend if you live on the East Coast.)

The bad news is that it’s only going to get worse, since the DarkSide is a malware operator that runs a Ransomware-as-a-Service network — meaning that other cybercriminals can pay to use their technology to access a victim’s network. The criminals then encrypt and exfiltrate data, after which they threaten to expose the data if a ransom is not paid. According to the U.S. Cybersecurity and Infrastructure Security Agency, “Groups leveraging DarkSide have recently been targeting organizations across various…sectors, including manufacturing, legal, insurance, healthcare and energy.”

Ransomware and the Most Vulnerable Industries List

Yep, on the list of industries that are most vulnerable to hacking and ransomware, energy enterprises like the Colonial Pipeline are at the top. The Colonial Pipeline is the U.S.’ largest pipeline system for refined oil products. At 5,500 miles long, it carries more than 100 million gallons of gasoline, diesel, jet fuel and heating oil per day between Texas and New York. That’s roughly 45 percent of the fuel consumed on the East Coast.

Perhaps your organization is smaller than the Colonial Pipeline. So what then? Just keep in mind that even if you are working for a smaller business, as long as it’s in one of the following industries, you are also at the top of that “most vulnerable” list:

  • Services (legal, insurance, etc.)
  • Health care
  • Manufacturing
  • Government
  • Higher education

Is ransomware a credible threat to your organization? You bet! And if you are a small- to medium-sized business, you are especially vulnerable. Over the last year alone, the news has been filled with stories of malicious attacks that have sabotaged unwitting businesses and government agencies, costing those organizations considerable time, money and damage to their reputation. Just over $300,000 is the average amount paid out by ransomware victims. That’s why there’s no time like the present to protect yourself.

Wouldn’t identifying gaps in your business’ network security – before you’re hacked by a bad actor – make sense? It should. That’s precisely why your organization’s overall security posture should utilize routine network penetration testing.

How Pen Testing Can Help

Plain and simple, running regular “pen tests” against the network gives you visibility into real-world threats that may impact your network security, exploits any vulnerabilities and provides steps for remediation. Routine pen tests allow you to test safely your system’s resistance to external hacking attempts by simulating the actions of a real intruder who might try to exploit vulnerabilities caused by operational weaknesses, outdated security policies, insecure settings, bad passwords, code mistakes, software bugs, service configuration errors and more.

Here are four reasons why your organization would benefit from routine network pen testing, which could also help prevent ransomware:

No. 1: Reduce Exposure, Remediation Costs, Hassle and Network Downtime

The average cost of a data breach in 2020 was $3.86 million, according to the Ponemon Institute. While the report showed a 1.5% decrease in costs from 2019, it still showed a 10 percent rise over the previous five years. So, if you are dealing with ransomware, after you’ve paid the ransom (or not), then you must deal with the added costs and hassle. This may include legal fees, regulatory fines, remediation fees, tarnished brand, sullied reputation, customer protection programs, lost sales and opportunities due to bad publicity, and of course, customer churn. Substantial subsequent investments will be required such as advanced security measures and customer protection programs. And downtime? Well, it might take some time to get all systems back up and running smoothly. A routine pen test proactively probes the areas of greatest weakness in your IT systems and flags them for remediation – before a hacker finds them. This proactive reduction of your overall exposure protects your business from dramatic financial and reputational loss as well as potentially devastating downtime.

No. 2: Prioritize Risks and Build a Killer Defense Posture

Wouldn’t you like the whole picture of your network security health? By proactively conducting regular pen tests, your organization can evaluate its web application, internal and external network security in full, prioritize the associated risks and understand the level of security that will be required to protect your data, people and assets from future bad actors who seek to rob you of that time, money and collateral damage. Anticipating the risks, fixing vulnerabilities on the spot and implementing remediation strategies will enable your organization to build up highly effective defense mechanisms.

No. 3: Achieve Security Maturity

What’s the difference between a routine penetration test and a real-life hack? The former is conducted in a safe and controlled manner and is meant to inform the steps that you take toward security maturity. It simulates a true attack by infiltrating your systems after it has found vulnerabilities. Repeating this process on a regular basis drives security maturity. Why? Because you are continually using that visibility created to develop a comprehensive data security plan. Moving your security program forward in a way that not only manages risk better but also creates additional value for your organization may be a competitive advantage in your industry too. Continuing to mature the security posture within your network environment demonstrates to your customers, shareholders and other stakeholders that you are striving for optimum security and data protection, focusing on continuous improvement and enhancing your ability to respond quickly to opportunities and threats.

No. 4: Comply With Industry Regulations and Standards

Pen tests can help you satisfy the myriad compliance and security requirements that are pretty much part of every industry. Non-compliance typically carries heavy fines. So, if you’re taking credit card payments, you need PCI compliance. HIPAA compliance pertains largely to the health care industry, and FISMA and ISO 27001 are still more compliance standards that certain organizations must meet. By performing your routine pen test, not only are you avoiding non-compliance, but you are also demonstrating due diligence as well as your commitment to information security and network health.

What Are You Waiting For?

So, are you undergoing routine penetration testing? If not, why not? Your first step should be to find a certified penetration testing professional or team. A professional can advise you about which type of pen test would be useful to your organization.

The AISN cybersecurity team can get you started with a pen test, explaining the steps and answering your questions. We can also advise you on the minimum frequency of pen tests required for your industry and IT infrastructure. Typically, we provide a detailed remediation plan following the testing process. This helps you understand the necessary procedures and investments you’ll need to put in place in order to build a more secure environment within your organization. For more information on how to get started, contact us today.