Information Security solutions for small businesses & individuals with advanced protection needs

Best ipad 2 leather cases

Posted on September 16, 2011 by Mark Kelly

The classic look of leather is a great way to protect your ipad 2 with style. iPad 2 cases are a great way to minimize the chances of your ipad cracking if it suffers an unexpected drop. A case can also offer stability and visibility improvements (if you choose to use the various stand options that many cases have) There are a lot of cool case options for the ipad 2 from metallic looking enclosures that fit with the Apple mystique but if this is not your style choosing leather is a great alternative. An important factor to note is that any case is going to add bulk to your ipad 2 so there is a bit of a trade-off between bulk vs. physical security.

Factors when considering a case for your iPad 2

How much bulk does the case add to your ipad?
How snug does the case fit to protect all four corners?
Quality of the leather the case is made of
Personal choice as to attractiveness of design/style
Cost

Here is a rundown of the highest rated ipad 2 leather cases that are well reviewed and loved by those that have made the investment to protect their device.

Bear Motion Leather Case with 3-in-1 built in stand – Elegant and conservative this highly rated leather case/stand is noted for its high quality leather and high quality snap magnets. This case is also noted for its high quality stand that greatly helps with reading on the ipad.

Yoobao 3-in-1 Leather case with built in stand – The general consensus is this is an attractive 5 star case that is a top option if you want a leather case. Yoobao is a well respected brand in the ipad case market and their raving fans demonstrate that there is a lot to like about this case.

Toblino 2 Leather Case – Famous for high quality leather and perfect fit around all four corners this ipad 2 case is a high end option for extra protection.

Targus VuScape Cover/Stand – Targus is sort of the workman horse brand of protective cases so their alternatives can always be considered. Others listed above are more attractive but these are functional and get the job done.

Snugg ipad 2 Leather Case with flip stand – Leather has a traditional worn in look to it and the general opinion from the reviews is that it works as advertised at a nice price. Not my top pick but included for the value conscience consumer seeking an affordable case.

For those of you looking for colored leather ipad 2 cases here are some options:

rooCase Premium Leather (red)

Bear Motion Case (brown)

Targus (blue/black)

If you decide to purchase a protective case I think you are making a wise decision. Your chance of having your ipad 2 suffer accidental damage like a screen crack can be significantly reduced by choosing the right case.

How to run an incident management process

Posted on September 15, 2011 by Mark Kelly

The primary purpose of an incident management process in the IT operations or security fields is to quickly restore normal service operations to minimize the impact on normal business operations. Here is a rundown of a typical incident response situation:

1. Operations business critical or security related incident is reported to the help desk by an end user or automated monitoring system. It is important for the help desk to get detailed information about the exact nature of the problem including a detailed problem statement of what is not working. The help desk should document the specifics into the problem log for documentation purposes.

2. Help desk reviews issue and support scripts and determines the business impact of the issue and if the issue should be escalated as a high priority item

3. Help desk follows documented escalation process and begins to form a system restoration team (as detailed by the application/system support script)

4. System restoration team assembles on a designated global phone bridge with intent of getting all people necessary for system restoration.

5. For a high priority application type problem without a clearly defined problem it is typical to get the end to end support team on the line. Typical system restoration participants are

Application support team member
Server support team member
Database support team member
Network/Firewall team member
Someone who can test functionality/items as needed (often a business user)
Facilitator of the incident response call

6. Facts surrounding the event are discussed with the combined team so everyone is aligned on the problem that needs to be solved. The incident response facilitator should be the primary voice of the system response team and keep the team on track with the primary goal to restore normal business operations

7. Depending on the severity of the problem it is important to keep relevant stakeholders updated to the progress and expected duration of the problem (if known). Communicating effectively is one of the most important things that needs to be done during an incident to set proper expectations and keep those affected informed. Effective communication is one of the key things that can be done to help minimize the likelihood of unneeded political escalation of the event.

8. It is best practice to keep the phone bridge open until the problem is resolved to maintain problem solving momentum. If the problem is expected to run too long to make that practical it is good to define the needed update times and schedule the sessions as needed.

9. It is important to validate that the service has been restored to normal prior to disbanding the system restoration team. This is best done by validating with an end user on the bridge.

10. Before terminating the call the team should make sure the incident diary is updated with information about what was done to resolve the problem. In addition, any information needed for the RCCA should be assembled while the incident is still fresh in everyone’s mind.

Important points about the Incident Management process

There is sometimes a tradeoff between quicker restoration vs. collecting system log and other information in event to find a root cause of the problem. This conflict should be managed appropriately depending on the likelihood of finding a true root cause (which is very desirable to prevent future problems) vs. faster restoration of the affected service.
It is important that the system restoration team facilitator be in charge of leading the assembled resources to maintain an orderly process. Too many chefs in the kitchen will not help restore service in a more timely manner.
Documenting the problem ticket regularly through the process is important for tracking status, communicating updates, and as a source of data for the future root cause analysis.
Opening a group chat room for the system restoration team is a good way to share technical information without sidetracking the phone bridge directing resolution of the problem. It also serves as a nice log for the problem diary and a potential source of information for the root cause analysis.

Posted in IT Operations | Tagged Incident Management, IT Operations | Leave a comment

How to update PHP to support WordPress version 3.2.1

Posted on September 7, 2011 by Mark Kelly

When a new WordPress version comes out I always like to wait 3-4 weeks to allow for sufficient burn in with the assumption that any major bugs will be corrected by the time I upgrade. One of my cardinal rules of upgrades is to have a working backup and to make sure I have sufficient time to troubleshoot and quickly correct if something goes wrong. I delayed upgrading to the latest version of WordPress longer than my typical 3-4 week burn in time because it required me to be operating at a higher level of PHP configuration vs. what I was currently operating at and I thought it would be a bigger deal to change.

Since this site is dedicated to security I did not want to get more than one version behind the WordPress current version level (got to keep practicing what I preach here). I logged into my hosting account and was pleasantly surprised to learn that upgrading my PHP version was a point and click painless upgrade.

To upgrade my PHP I performed the following:

Logged into my hosting account

Go to cpanel

Software/Services

PHP Configuration

Changed from PHP 4 to PHP 5 and clicked Update

I then checked back in my WordPress site and was now able to upgrade to WordPress version 3.2.1 when previously a not compatible with your version of PHP was previously displayed. I was then easily able to auto update to the latest version like all previous updates.

Posted in Wordpress Security | Tagged Wordpress Security, Wordpress update | Leave a comment

How to perform a root cause analysis?

Posted on August 30, 2011 by Mark Kelly

The purpose of a root cause analysis in either the IT operations or information security fields is to gain insight into the source(s) of a problem with the goal of preventing recurrence. A root cause analysis should be performed after an incident has been responded to and not during. During the incident individuals should not be distracted and the primary focus of all involved should be on the restoration of service and the elimination of business impact. Once business operations have returned to normal the next steps should be to collect any relevant information and do a debrief in preparation for a formal root cause analysis.

Organizations often make use of the 5 Why method to determine how an incident occurred. Asking the question why several times helps to effectively drill down to what caused a problem vs. simply stating the problem itself.

Example of the 5 Why’s Method:

The company file and print server was infected with a worm <- Why?

The server was not patched with the latest Microsoft patches <- Why?

The automated server to deploy the patches has been broken a month and is not operational < – Why?

The change to upgrade it 5 weeks ago was unsuccessful and no additional action was performed to correct < -Why?

The change to the server was not properly planned or documented and the engineers were unaware that the upgrade activity had occurred. <-Why

Proper change control processes were not followed

The only time you are likely to hear more whys is in a car with several small children who you are trying to explain something to.

Tips for conducting an effective root cause analysis

A root cause analysis should be performed as soon after an incident as is practical to allow for the needed prework and attendees to be scheduled. Extended delays increase the likelihood and incident will not be well remembered and the momentum to correct may be lost.
Conduct sufficient prework to document the incident and actions taken during the event. Review the documentation with those involved for factual accuracy.
Schedule the root cause analysis so that key individuals are available to attend
A standardized form should be utilized when conducting a root cause analysis. Ideally this information will be stored in an application or database so that metrics are easily generated to allow for long term improvement tracking.

Common errors that occur in the root cause analysis process

Failing to properly document the facts around the incident in a timely manner
Failing to understand the difference between correlated facts and causation
Not driving to a deep enough level and simply recording what happened vs. why it happened and how it can be prevented.
Not tracking improvement tasks to make sure they have been completed as expected
Not auditing the root cause analysis process for quality

Tips if root cause can not be determined

Determine what additional information should be collected next time and develop a process for collecting the needed information in case the event reoccurs.
Do not just assign a root cause if it is not correct for the false sense of completeness. Recognize that not all incidents can be attributed to a root cause first pass go around and make a plan to be effective if the issue recurs.

Sample Root Cause Analysis Form

Statement of issue: Describe the problem that occurred

Chronology of events: Detail events that occurred with specific timelines and actions taken during the incident

Business Impact: Define and quantify the problem from a business perspective

Participants: Document individuals that participated in the root cause analysis

Corrective Actions with individuals name responsible for completing and date completed:

Lessons Learned: Document to enable future improvements

Other areas with similar exposure: Document so same incident does not have to be experienced multiple times in different operating areas

Contributing Causes: Items may not be root cause but were contributing factors that need correction

Was the incident a repeat event?

Final thoughts on root cause analysis

If you are capturing your root cause analysis in a database it may be useful to track many other items for reporting and improvement metrics. Some of these items might include:

Incident # (to link back to your problem management system)
Incident Status
Incident Start and End Time
Location/Country/Region of incident
Incident category (application/server/etc.)
Service affected
Organization owner of incident
Type of problem

Effectively performing a root cause analysis is one of the most important things you can do to improve operations and drive a continuous operations improvement mindset.

Posted in Incident Management, IT Operations | Tagged Incident Management, IT Operations management, RCA, RCCA, Root cause analysis | Leave a comment

iPad, iPad 2 and iphone screen privacy – Options to protect your screen and keep busy bodies at bay

Posted on August 26, 2011 by Mark Kelly

photo by: http://www.flickr.com/photos/adamjackson/

Are you tired of trying constantly repositioning the angle of your ipad, ipad 2 or iphone to prevent busy bodies from seeing what you are doing? Traveling in tight quarters like a car or airplane and don’t want casual snoops eying your activities? If you answered yes to either of these questions you are in the market for screen privacy protection options.

Factors to consider when purchasing screen privacy protection

Privacy films help reduce unwanted glare on your device
Privacy films/screens will make your screen appear darker. If you prefer a very bright screen your options are more limited and you will have to sacrifice some of the privacy benefits as a result
If you read a lot of books you may need to turn your device brightness levels up to compensate for using the privacy screen
The thickness and quality of the film used in the product will be a major factor in how private your device will be to those around you.
4way protection is preferred over 2way protection to provide protection at the various possible angles. 4way protection will typically be more expensive to reflect this additional privacy protection.

Note for all the products listed below, I have read through various product reviews and only included products that were noted to be of high quality and free from excessive negative reviews.

Screen privacy options for the iPad 2

GumDrop Drop Series Cases – These top rated cases are well loved and well rated by a large number of consumers. Provides protection against breakage and screen protection so is a nice all in one solution and the top choice to stylishly protect your device. Available in a lot of cool styles including:

KHOMO Privacy 4 Way Screen Protector – Purchaser’s of this protective film noted the ease of installation and the thickness of the film as overall benefits to the product.

3M Privacy Screen Protector for iPad 2 – This device is new so it does not yet have any reviews by 3M is a trusted brand known for making high quality products which makes this a top option.

Privacy Screen Cover for iPad 2 (Brookstone) – Is new so does not yet have reviews but I have always been happy with any Brookstone purchases so have no remorse in including this option on the list.

Screen privacy options for the iPad

3M Privacy Screen Protector - This device is new so it does not yet have any reviews by 3M is a trusted brand known for making high quality products which makes this a top option.

Splash 3 pack screen protector films – This 3 pack is at the very low end of the price spectrum but is well rated and is designed to be a more replaceable version of screen protection.

Screen privacy options for the iPhone

GumDrop Drop Series Cases – These top rated cases are available for the iPhone as well and come in a variety of cool styles.

Phone Devil Screen Protector -Nice well rated option that I believe is a small cut below the GumDrop line.

I will continue to keep this list up to date to reflect user experience on the newer products. I am especially eager to see how the 3M products are received since they are quite new and a leading authority in the space.

Posted in iPad Security | Tagged iPad 2 Privacy, iPad 2 screen privacy, iPad 2 Security, iPad Security | Leave a comment

10 Information Security Lessons Everyone Should Know

Posted on July 27, 2011 by Mark Kelly

Information security is an afterthought to most people left to the domain of nerds and professionals. This is a big mistake that could have major ramifications for your financial, social or emotional well being. Identity theft, financial loss, time wasted, and social/reputation stress are just a few of the potential problems awaiting if you fail to take information security seriously. Without any further buildup (as if any were possible) here are the Top 10 Information Security Lessons Everyone Should Know.

1. You are a potential victim - It isn’t just the rich and famous who are targeted for information security attacks. Everyone is a potential victim and must take adequate precautions to protect their systems and information. If you do not take the risk seriously you are more likely to become a victim.

2. Email and internet browsing are the two riskiest activities you do every day If you click on every email, open every attachment, and click on web sites of unknown quality you are at an increased risk for being compromised with malware or viruses. Once your machine has been compromised it may become unusable or worse it may be silently harvesting your important usernames and passwords.

3. Anyone you let use your system or device can put you at risk

Anyone you let use your system can spoil all of the careful planning you have done and create problems for you later. If you allow others to use your device be sure they have good judgement and set some ground rules around email and internet usage.

4. Do not reuse username/passwords especially for important accounts

Most people reuse username and passwords for their activities even for important accounts like email and online banking. This is a big mistake and it makes you susceptible to widespread problems if only one of the sites you frequent has a security incident. It is better to use unique strong passwords for all sites and use a free password manager such as LastPass to help keep track of your passwords in a secure manner.

5. Do not go without security protection for your pc, tablet or mobile device.

Going without some type of antivirus, personal firewall software, and security updates is just asking for problems. These are your last line of defense if you make a mistake and click on an infected attachment or website. If you do not want to pay for this there are high quality free security tools available to help.

6. It is easy to impersonate you

Anyone can create a Facebook, linkedin (insert any other social media site here), or email account pretending to be you. It is easy to find an image for most people using google or a variety of other sources to make the account look authentic. If you get reports from friends about any accounts that do not sound familiar do not dismiss them take action immediately.

7. Backup your important information

Always have a back up plan to restore documents, photos or other items you can not stand losing. If you do not have a backup your putting too much faith in never losing your device or having it become inoperable. Use a dvd, a backup system, or online available storage but use something.

8. Protect your mobile devices while out and about

Electronic equipment is most vulnerable to loss or theft when you are on the go. Take it with you but always keep an eye on it and make sure not to leave it unattended and visible or you may regret it later. Assume if you like it someone else might too.

9. Secure your wireless access point

Using WEP encryption is better than nothing but not totally sufficient since it is easily crackable with online tools. You should be using WPA encryption to make sure others can not cause trouble with your connection. Read this horror story of what normal people went through with their neighbor from hell if you are not convinced.

10. Anything you do electronically is forever

Many people post things in the spur of the moment thinking they can go back and delete it later. This is usually not the case since nearly everything is indexed, archived, and kept for posterity. Think twice before posting something (pictures, emails, social media posts) because it will endure and might be used against you in unexpected ways later on.

Some of these recommendations may sound a bit alarmist but awareness is most of the battle. Compute safely my friends

The Most Interesting Security Man in the World

Posted in Information Security Awareness | Tagged Information Security Awareness, Information Security Lessons | Leave a comment

Free Security Software – 5 free must use security tools

Posted on July 19, 2011 by Mark Kelly

Need security for your computers but on a budget of $0? Free security software is available to assist with your dilemma. A few years ago acquiring free security software often carried a risk of picking up unwanted malware or an annoying every other second registered version offering. Luckily for you, the quality of free security software has risen dramatically and it no longer carries the stigma of being inferior products.

Top 5 Free Security Software Tools

1. Avast Free Antivirus – Previously, I was always skeptical of free anti-virus products and considered them a novelty. My Norton subscription for my new pc recently expired and I decided to give this software a legitimate chance since I had heard good things. I am very glad that I did this is a first rate freely available software package with signature updates that rival it’s subscription based rivals. If you are not already getting AV via your broadband provider be bold and save 30-50$ a year per machine by using Avast.

2. LastPass -Despite well publicized security events that happened awhile ago, LastPass is a first rate company that makes a high quality freely available password manager that should be in your free security tool arsenal. LastPass is a life saver for managing the essential process of creating unique user ids and passwords across the web to help minimize the risk of reusing accounts or passwords. LastPass also helps me save my brain cells and avoid wasted time of resetting forgotten passwords which is bound to happen to anyone creating unique passwords for each site. LastPass is more secure then using either browser saved credentials or managing your credentials via another unencrypted document like word or excel. To help minimize your risk of a LastPass credential compromise I recommend changing your master password every 90 days or if you receive a notice from the company about potential security issues (which hopefully was a one time occurrence).

3. TrueCrypt – Freely available encryption software for your computer or USB related drives and works on multiple OS’s including Windows, Mac, and various Linux distributions. Disk encryption is an essential security control to prevent your data from falling into the wrong hands if your pc or portable storage device are lost or stolen. I have just recently started using this software but like what I see so far.

4. Qualys BrowserCheck – Your internet browser is one of the most attractive targets for attackers to infect your system so keeping your browser and installed browser plugins up to date is mandatory to maintain optimum system health. Qualys has developed a useful browser plugin that helps validate you are operating at a fully patched and protected level. Qualys is a trusted high end security company and they have made a valuable contribution to your free security tool bench.

5. Microsoft Security Essentials – Security vendors often advise not to run multiple malware/anti-virus packages at the same time due to incompatibilities. I have had no problems running MSE with either Norton (previously) or Avast so I will continue using the Microsoft Security Essentials package. I was uncomfortable relying on it as my sole protection but it is an excellent secondary control for the Avast package I am using as the primary. If you are looking for personal firewall protection I recommend the Microsoft supplied option as well.

I am actively using or have in the past used all of these free products so feel free to ask a question if you are having problems or provide other recommendations if you have other free security tools that are working well for you.

Posted in Security Software | Tagged Free security software, Free security tools | Leave a comment

How to secure your iPad/iPad 2 at a conference or trade show

Posted on June 23, 2011 by Mark Kelly

Photo credit: http://www.flickr.com/photos/schargis/

Are you responsible for delivering an important conference or trade show for your company? If so, I know you have a thousand things going through your mind to prepare for the big event but please remember to make information security part of the plan. Failing to account for security could be the difference between a successful event and a disaster. Remember to physically secure your ipads, portable electronic devices, and tv/display units because some attendees think more then the pens and stress reducing squeezy balls are fair game as giveaways.

General Information Security tips for trade shows and conferences

Mount/lock all electronic assets down to prevent loss or theft. Choosing one of the attractive options below will allow you to have security and an attractive setup
Be careful with the equipment while it is transit in your car or van. If you stop to eat or rest make sure someone has their eyes on the equipment at all times. If you are stopping for the night I advise unloading it into your hotel room.
Have a trusted person watch your electronic equipment while it is being moved from your car to the trade show (and vice versa). The equipment is most exposed while in transit
If you are capturing attendee’s contact information make sure you are treating the collected information as confidential and ensure the appropriate controls are in place. If you are capturing leads with electronic methods physical security controls recommended below should be used. If you are using business cards or other ways to capture leads also secure the box or container that you are using to collect the information.
Inquire with the organizers of the event about the security of the location to help ensure the equipment will be secure when you can not have your eyes on it. (likely thieves would target those without the security controls mentioned below so you will be a less attractive target overall)
Do not use USB/storage devices of unknown origin on your electronic devices you bring with you. This is a common way an attacker may seek to infect your systems.

iPad Physical Security Options for Trade Shows/Industrial Users

iPads are beautiful devices to show off your products and company’s electronic presence at a conference or trade show. Prospective customers love the latest technology and gravitate to displays that feature high tech displays. iPads and other portable devices should be attractively mounted as part of your display to prevent theft while at the same time retaining the beauty and usefulness of your showcase.

RAM Mounting System for iPad/iPad2 -Mounting device looks a lot like your typical tv bracket and is a top choice for securing an iPad/iPad2 in a semi-permanent fashion when the device needs to be featured securely in your display. This high security mount/lock will give you the confidence that your device will not be lost or stolen during your next trade show or conference.

Arktis iPad Security Mount Lock. Another option for you to securely feature your ipad or iPad2 device for signature events. The Artkis is a bit more minimalistic then the RAM system listed above but another good option for security on the go.

General Laptop/Desktop Cable locks

Kensington is the most trusted name around for laptop/notebook/desktop cables so I recommend sticking with one of their basic offerings. Two options are either the combination or key lock depending on your preference.

Kensington Key Lock

Kensington Combination Lock How to secure your iPad/iPad 2 at a conference or trade show

Kensington Notebook Combination Lock

Other Trade Show/Conference Security Items

Mobile security mount for TVs/Displays – Top rated mobile security cart should be assembled prior to attending the trade show or conference. You can then roll it in easily and mount your tv unit once you arrive simplifying the process. This mount works for tvs/displays between 32-60 inches.

Security mount for TVs/Displays – If you are looking for a way to secure your tv screens/monitors for your exhibits this stand is a good choice for models between 23-42 inches.

Follow these tips to ensure your next conference or trade show is pulled off without an information security hitch.

Be sure to check out our recommended iPad and iPad 2 screen privacy recommendations

Posted in iPad Security, Physical Security | Tagged Conference planning security devices, IPad Physical Security, Trade show display security devices, Trade Show Security Mounts, Trade show tv security devices | Leave a comment

WordPress Plugin Security – Your Sites worst security nightmare?

Posted on June 22, 2011 by Mark Kelly

The WordPress security team recently announced some serious wordpress plugin security vulnerabilities with three popular plugins WPtouch, AddThis, and W3 Total Cache. If you are one of the WordPress site owners using the mentioned plugins who updates plugins as soon as they are available you need to take prompt action to avoid potential information security problems with your site. If you have updated within the last few days you need to quickly update again to avoid problems from potentially malicious wordpress plugins.

Bad versions of each plugin:

Wptouch: versions 1.9.27 or 1.9.28

AddThis: version 2.1.3

W3 Total Cache: Unclear latest version is recommended

Good versions of each plugin:

WPtouch: 1.9.26 or older or the latest version 1.9.29

AddThis: 2.1.2 or older or the latest version 2.2.0

W3 Total Cache: version 0.9.2.3

WordPress security lessons learned/validated

WordPress plugins are of unknown security levels and must be treated as such by sites requiring a high level of security
WordPress updates and plugin updates should be given a 2-3 week burn in process before applying to avoid defects and issues such as this. This would have helped prevent exposure to the situation described by WordPress and the only caveat would be if failing to update exposes to your site you known exploits that are circulating in the wild.
Disable or preferably delete any WordPress plugins that you are no longer utilizing for your site.
Make sure your WordPress site administrator is staying in the loop with WordPress security updates, awareness is half the battle.
Keep multiple copies of your sites backups so you have your choice of restore points if the worst
Security issues can happen even with trusted plugins. WPTouch is probably the most widely used plugin to assist with mobile device compatibility and if it can happen to them it can happen to anyone.

Be sure to understand the risk of installing WordPress plugins prior to doing so and be sure to stay on top of WordPress plugin security news to help your site stay secure.

Posted in Wordpress Security | Tagged Wordpress Plugin Security, Wordpress Plugin Security Risks | Leave a comment

Penetration Test – Does your business need one?

Posted on June 9, 2011 by Mark Kelly

A penetration test is a method of evaluating the robustness of your IT security level by simulating an actual attack on your own systems. Penetration testing can be a very valuable tool to help identify the path of least resistance into your company’s critical systems and is often an eye opening experience for management. If your company has not yet embraced the need for effective information security controls and penetration test might be just what the doctor ordered to raise awareness and build support.

Is your business ready for a penetration test?

The answer to this question depends a lot on the maturity of your information security program. If your business is still developing your information security program a skilled penetration tester may quickly gain access to all of your systems without much effort and you might only learn that you are highly vulnerable to attack and little else. My recommendation is to ensure you have conducted internal vulnerability assessments prior to conducting a penetration test unless you are using the exercise as a means to communicate your company’s exposure to attack. Unfortunately, sometimes information security is not taken seriously until there is a smoking gun and a targeted pen test can provide that.

Important items to keep in mind before signing up for a penetration test

Choose the company/individual that will perform the penetration test wisely. A lot of sensitive company data will be exposed so it is important to only deal with reputable people.
Make a confidentiality agreement part of the contract.
Scope the penetration test as desired to achieve your intended results. Possible penetration test scope includes: Full review, External Review Only, Internal Review Only.
The cost of a penetration test can be quite high so make sure your organization is ready to benefit from the results otherwise a full security audit may be a better choice.
Define objectives for the penetration testers to aim for. These objectives should be targeted at the highest risk business processes especially if you are performing the pen test to build support for expanding your information security program
Make sure senior management has signed off on the penetration test. Things can go wrong during a penetration test even under controlled conditions so it is an important CYA step to ensure your career does not go down the tubes.

Other Frequently Asked Questions about penetration tests

Should the penetration test be announced to your technical staff?

Usually it is a good idea to announce the impending penetration test to your technical staff so they will know it is occurring, be on hand to support if there are problems, and not escalate detected items to a higher level. A counter case of not notifying the technical staff can be made if you desire to assess the effectiveness of monitoring controls and wish to avoid having the staff on red alert.

How much information should be provided to the penetration testing team?

Penetration tests differ on how much information is provided to the testing teams. Some penetration tests are basically a blank slate where the technical team must discover everything without any inside information (black box testing) vs. other tests where significant network and system information may be provided (white box testing). Hybrid approaches are also possible where some generalized information is provided but the pen test team must figure out the rest. For external assessments I recommend providing in scope external IP addresses and phone numbers (if analog lines are being assessed) to avoid the problems that could come if the wrong targets are identified.

Can the penetration test have an adverse effect on my systems?

The answer is most definitely yes if the pen testing team does not take steps to minimize the risks to your operations. There is an inherent risk that comes with performing an activity like this but choosing experience testers and setting solid engagement rules can help minimize your exposure.

Are there any established frameworks for conducting a penetration test?

The Open Source Security Testing Methodology Manual (OSSTMM) is the best current framework to help guide a penetration test (including helping a client define the scope of engagement)

Should I have a member of my team witness the penetration test as a member of the technical team?

If you can negotiate this into the contract terms and plan to build your own internal capability to some extent this would be a great way to acquire on the job training at the same time the pen test is delivered.

Now that you have more information about penetration testing you can determine if your business is a good candidate to consider one vs. a standard information security audit.

Posted in Vulnerability Scanning | Leave a comment

Information Security HeadQuarters