"Penetration testing is designed to meet the needs of companies securing data against loss, but too often we come across the same basic flaws, which we think companies could solve themselves" said Shannon Simpson, Commercial Director at CNS Group. "Our PenTest Portal will provide clients with the practical and conceptual skills to carry out very basic penetration testing on a regular basis, freeing-up budget for a continual, advanced-penetration strategy for sensitive data. It will also show the non-technical and those new to security the importance of protecting a network and where they need to close the doors to hackers".
CNS initially developed and tested the PenTest Portal with students in the cyber security departments of Universities as part of their ongoing programme to encourage people into the industry. The PenTest Portal is now a safe, virtual environment deliberately configured to test hacking knowledge and show CNS Hut3 clients how to do a basic penetration testing themselves.
CNS Hut3 is looking to educate its customers in IT security and the advantages of regularly sweeping networks with a basic penetration test. This will mean that CISOs can get better value from their budgets and resolve growing concerns about hacking including the potential security issues of offshore access, or testing against the wireless network and DDOS attack or Advanced Persistent Threats.
The top four basic security errors that CNS Hut3 PenTesters still come across are:
v Default credentials - Seen on everything from high end CISCO devices, to door control systems, security cameras, printers, switches, power controllers, database servers, web servers, laptops, video conferencing systems...
v Insecure Communication - Plaintext Bad, Encryption Good. For example on a typical external penetration test CNS Hut3 will find organisations using telnet to manage a device or HTTP being used instead of HTTPS to transmit sensitive information.
v Patching - This is still a major problem in Windows environments. If systems are missing old critical patches, then a hacker can simply use an automated tool like the metasploit framework, point it at the target and deploy the payload.
v Guessable Passwords - Password complexity is not solving this, because Password1 will fit into a multi-case and alpha-numeric requirement. Password complexity sometimes means that the password requirement gets completely removed and some companies are still deploying 'password' as their password on some key applications.
Edd Hardy, Security Practice Head at CNS Hut3, explains "these days it's easy to find hacking tools on the internet, which means you no longer have to be particularly technically competent to attack an organisation. We want customers to sort out the basic penetration testing themselves and put good housekeeping practice in place, so that we can concentrate on the high-level issues". He continued, "this should also have long term cost-saving benefits. By resolving straight-forward issues in-house we can deal with customers' increasingly complex security requirements created by new technologies, new business practices and the changing tactics hackers are using".
"IT budgets are apparently prioritising security, but is it being spent in the right place?" said Shannon Simpson, Commercial Director at CNS Group. "Fulfilling your budget line item by having a penetration test won't necessarily improve your security, but it will spend the budget. Companies can improve their security posture by spending it on scenario and risk-based testing, and spend less time worrying about it", added Simpson.
Notes to Editors
CNS Group would like to invite security journalists to come and try out the CNS Hut3 PenTest Portal. If you are interested, please contact Kate Warwick or Jan Howells at PR Savvy (details below).
About CNS Group
The CNS Group is the parent company of two focused and specialist companies, dedicated to being experts in their fields:
CNS Hut3 are experts in Information Assurance. Find out more about CNS Hut3.
CNS Mosaic provide specialist Information Security and IT Security Solutions & Services. Find out more about CNS Mosaic.
CNS Group gives its clients access to the most dedicated experts in Information Assurance and IT Security. The Group aims to ensure focus and specialisation within its companies, in order that each group company is second to none and brimming with excellence, experience and enthusiasm.
CNS's customers vary in size, from FTSE 100 and large public sector organisations to SMEs, but are united in the importance of digital information to their business and in their desire for pragmatic, knowledgeable help in securing their systems and data and meeting their connectivity requirements.
By working with us, you can be assured of access to the latest security intelligence; to an understanding of the latest regulatory requirements; and to experts in IT security and Information Assurance.
The Group structure means our clients can benefit from our experience and full range of specialist products and services. They can be sure their business data is protected and secure, leaving them to focus on other business priorities. The Group's clear mission statement is to save our client's time, worry and expense by remaining at their side; helping them to build, manage and continually improve their IT business systems with confidence.
The original CNS (Convergent Network Solutions Ltd) was set-up in 1999 in the City of London. Over the years CNS has built an excellent reputation for information security and networking consultancy & services to our customers across a variety of sectors on a global scale. The company is wholly owned by its employees and directors.
The new website address is www.cnsgroup.co.uk