With a background in application support, St. Ambrose University’s Shelly Lowery knew software and IT services – but cybersecurity wasn’t part of her background.
When the university’s IT director left in early 2017, however, Lowery inherited the four-person network team. And along with that role came responsibility for cybersecurity initiatives.
Before Lowery moved into her new position, the decision had been made to boost cybersecurity efforts after a conversation between the IT staff and the university’s Board of Directors, which includes a few members with IT backgrounds. The Board’s audit committee felt strongly about the importance of conducting a penetration test and risk assessment to evaluate network security, uncover vulnerabilities, and identify potential threats.
A cybersecurity firm had been chosen to complete a penetration test – and it was scheduled for Lowery’s second week on the job. “As someone without a network background, I was panicking. I went home every night and researched terminology. I wanted to be prepared for what I heard.”
To give you a first-hand look at what it’s like to go through a penetration test and risk assessment, Lowery shares insights into working with a cybersecurity firm for the first time.
What a Penetration Test Offers
To check for weak points caused by improper system configuration, hardware or software flaws, operational weaknesses, or end-user behavior, ProCircular spent two days onsite at St. Ambrose University conducting a series of manual and automated techniques to evaluate network security.
The penetration test included analysis and testing of:
- Border devices (firewalls, gateways, routers, etc.)
- DMZ/network architecture designs
- Email credentials
- External IP addresses
- Internal vulnerabilities
- Onsite physical security (cameras, access control, alarm systems)
- Remote access/VPN services
- Web addresses
Verified vulnerabilities were tested through attempts to circumvent security processes and controls. In other words, ProCircular tried to gain network access like an attacker would. If data is exposed or accessed during this testing, data retrieval is attempted to simulate how a real-life recovery attempt might play out.