What is Penetration Testing?

In the world of information security, Penetration Testing is the practice of checking and testing the organization’s network, servers and services for possible loopholes and vulnerabilities, searching for vulnerabilities that an attacker may exploit.


Penetration tester are called white hats. They perform hacking in ethical ways, without causing any damage to the computer system, thereby increasing the security perimeter of your organization.


Penetration Testing is required because it helps you highlight the flaws related to hardware and software system design and operation, and quite importantly, personnel readiness. Early identification helps protect the network and if the vulnerabilities aren’t identified early, then they become an easy intrusion point for the attacker. Continue reading “What is Penetration Testing?”

Where to Start with Your Risk Management?

Understanding and identifying risks is essential to a well-built and sustainable business. Being in touch with the threats and the ways to counter them is essential for a safer working environment.


Risk Management is the most important instrument for Information Security Governance.  It provides a framework for assessment and successful management of risks. Sadly,  this is something  usually poorly done or even neglected completely by a surprisingly large number of organizations today. Risk management allows companies to devise and implement economically viable risk counter-measures. All activities involve risks, which are in turn a derivative of threats, vulnerabilities and impact. Properly identifying weaknesses and assessing the associated risks is essential, and pays off in the long run. Continue reading “Where to Start with Your Risk Management?”

The Role and Purpose of Training & Awareness in Information Security


Do not be alarmed to find out your organization is somewhere in the first couple of levels on the diagram below.  Awareness is the first step, and you have much to gain by just educating your personnel or just yourself.



Continue reading “The Role and Purpose of Training & Awareness in Information Security”

Team Development, Internal Audit & Control 101

The development of a company’s employees is of major importance. Ultimately progress and growth are what everyone’s after, but in order for that to happen, processes, workflow and ethnicity must be all under control.

In order to create a secure operations environment, an organization needs to build its structure and staff it in line with the proper approach to the human factor in Information Security. Failing to do so usually results in lack of direction, misplaced responsibility and ultimately, operational disruptions.


THE TOP-DOWN APPROACH – Information Security is never built from the bottom up. Do not assume that everyone in the organization is tuned-in to what (and how) needs to be done regarding Information Security. The major roles are usually defined as:


Senior Management – creates information security program and ensures proper and adequate staffing and funding and has organizational priority. It is responsible for ensuring organizational assets are protected.

Continue reading “Team Development, Internal Audit & Control 101”

The Purpose of Intrusion Detection & Prevention Systems

Intrusion Detection System (IDS) is a detective device designed to detect malicious (including policy-violating) actions. An Intrusion Prevention System (IPS) is primarily a preventive device designed not only to detect but also block malicious actions.


Depending on their physical location in the infrastructure, and the scope of protection required, the IDS’ and IPS’ fall into two basic types: network-based and host-based. Both have the same function and the specific type deployed depends on strategic considerations.

WHY ARE IDS’ and IPS’ systems necessary?

The IDS and IPS devices employ technology, which analyses traffic flows to the protected resource in order to detect and prevent exploits or other vulnerability issues.


These exploits can manifest themselves as ill-intended interactions with a targeted application or service. The goal is to interrupt and gain control of an application or a machine, thus enabling the attacker to disable the target causing in a denial-of-service situation, or to gain access to rights and permissions available through the target. Continue reading “The Purpose of Intrusion Detection & Prevention Systems”