A concern we often hear while scoping security assessments is around impacting the current operating rhythm of an organization. This is a valid concern as the last thing an IT leader wants is to negatively impact the business when it could have been avoided. The first inquiry is usually to test after-hours or during non-standard business hours. While the answer from us is always “yes we can accommodate that”, it often does come with an increased testing rate. Every business is different, and in some cases, testing off-hours truly is the best option but frequently we find that it isn’t necessary.
While all security testing does come with risks, doing it off hours usually doesn’t change the outcome. A few things to consider:
- Externally facing systems are constantly being scanned, attacked, and interacted with on a regular cadence. If you’ve ever monitored the logs of externally facing systems, then you’ll see a surge of connections typically in a short period of time. If your systems have a consistent uptime, then the attacks of a penetration tester shouldn’t deviate you from your current norm.
- Penetration testers don’t go for denial-of-service attacks and try to stay within your lockout threshold for authentication attempts.
- Most security assessments are predominately manual in nature. Automated scans are used but it only makes up a small portion of an assessment.
- Most clients find that they can handle an outage easier during business hours when technical resources are readily available.
- Internal assessments are highly encouraged to be conducted when users are operating within it so that man-in-the-middle attacks can be conducted. Not capturing this piece of an internal assessment would surely not give you the full picture as that is what your attackers would likely do.
During our scoping calls we discuss the particulars of your situation and the risks associated with a security assessment in your environment. While the above considerations should be recognized, there are times when after hours testing should be conducted such as time zone differences, older technologies in use (often found in the medical sector), or as simple as a peace of mind. We’re happy to accommodate your testing requirements and would love to discuss with you your current security posture so feel free to contact us.
About the Author: Heath Adams
Heath Adams, also known as “The Cyber Mentor,” is the CEO of TCM Security. While Heath is an ethical hacker by trade, he also loves to teach! Heath has taught courses to over 1,000,000 students on multiple platforms, including TCM Academy, Udemy, YouTube, Twitch, and INE.
Heath has held many certifications, including CISSP, PNPT, QSA, GSNA, OSCP, ECPTX, and eWPT. He also holds an MBA degree.
Finally, Heath is also a husband, animal dad, tinkerer, and military veteran.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com