6th March, 2020
When protecting carrier scale infrastructure there are a number of good practices and steps to follow to ensure the continued safety and operability of your network. This includes ensuring your cyber security supply chain, which you are reliant on to protect your organisation’s infrastructure, thoroughly hardens their hardware and software against vulnerabilities.
Cyber hardening helps reduce a system’s vulnerabilities which an attacker will exploit for illegal purposes. Cyber Security vendors like Telesoft use VAPT: vulnerability assessment and penetration testing. Vulnerability assessment is a process in which hardware and software such as operating systems and application software are scanned in order to identify the presence of known and unknown vulnerabilities.
A pen test is an authorised simulated attack on a computer system, performed to evaluate the security of the system…before a hacker does. The test is performed to identify potential security holes, which may include weak spots that unauthorised parties will exploit to gain access to a product’s features and data, as well as its strengths, enabling a full risk assessment to be completed. This should be documented and provided upon request to technical leads and purchasers for compliance, corporate security standards and policies.
The process should identify the target systems and a particular goal, then review available information and undertake various activities to attain that goal. A penetration test target may be a white box (where the tester will be given background and system information) or black box (where the tester will only be provided with basic or no information except the company name). A gray box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor).
Types of penetration testing
There are a number Open Source penetration testing tools that are designed to be used by people with a wide range of security experience and as such are ideal for developers and functional testers who are new to penetration testing. Tools such as Nmap, Burp Suite, OWASP Zap, SQLmap and Metaspoilt are just a selection of the tools available, while some are completely open source, others require licence payments to unlock extra functionality.
Device hardening is an essential foundational component of any trustworthy system at any scale but is especially imperative at carrier scale. When you are responsible for the integrity of complex, carrier-grade network with more than 100Gbps of throughput, minimising the risk to your organisation is imperative. This important step in a product’s development can negate many preventable issues such as insecure system configuration that could let a remote attacker bypass the management console authentication with “crafted HTTP packets”. From an IT decision-makers perspective ensuring that products have been properly hardened at the proof of concept stage takes up much less resource then cleaning up after an avoidable attack.