With hackers growing more sophisticated by the day and data breaches the new normal, more companies are taking security seriously. That's a good thing, especially when it comes to companies that deal with the country's finances or infrastructures. Learn how a major cyberattack could affect America and how you need to prepare now.
However, one of the big unknowns when it comes to security is whether or not it actually works. You won't really know until hackers come calling and either get blocked or go right through the security like it isn't even there. That's why companies do something called "penetration testing."
Essentially, the company hires white-hat, or "good," hackers to try and break through their systems. These security experts can then tell the company where it needs to improve before the bad hackers show up.
Of course, this service doesn't come cheap, which is why many companies don't bother or don't do it as regularly as they should. That's also why the Department of Homeland Security has a program called the National Cybersecurity Assessment and Technical Services, which will scan private companies for free. Of course, the company needs to be a part of the country's "critical infrastructure," such as the finance or energy sectors.
The DHS test has two parts, the Risk and Vulnerability Assessment, and Cyber Hygiene. The RVA sees the DHS finding external weaknesses in the company's systems and trying to exploit them. That includes sending phishing emails to company employees. Chillingly, the DHS reports that phishing emails have a 25% click rate. Learn how to spot and avoid phishing emails before it's too late.
The Cyber Hygiene portion has the DHS scanning both for internal and external problems that could let a hacker get more information than they should have. This is the same test the DHS runs on federal agencies. Run your own cyber hygiene test on your computer to see with this free tool from Microsoft.
While security experts say that there are some good aspects to this program, it also raises some questions about liability. What if the DHS team stumbles across customer data that the government isn't supposed to have? If the DHS says a company is fine and then it gets hacked later, is the company off the hook? Should the government be competing with private sector companies?
Plus, according to security experts, in penetration testing on government systems any vulnerabilities are supposed to be sent to the NSA. The NSA can then fix the problem for the government and potentially use it for its own surveillance purposes on other systems. If the DHS finds flaws in private company systems, does the NSA get looped in the same way?
Since the program has been mostly under the radar until recently, security experts are just starting to examine the implications, and they still don't have all the details. We're sure they'll keep digging, however, to find any problems.
While government or private company penetration testing is a little much for individual computer users, it's still a good idea to test your security before the hackers do. Learn five ways you can test your computer's security on your own.