The Compliance and Ethics Blog

SCCE/HCCA

The Components of Strong Cybersecurity Plans Part Five: Penetration Testing

by Leave a Comment

By Mark Lanterman, Chief Technology Officer, Computer Forensic Services
Carolyn Engstrom, Director of Corporate Compliance

In the fifth and final installment of this cybersecurity series, I will discuss the role of penetration testing in developing a strong security program. As described in my previous four articles, a growing awareness of cybersecurity regulations, trends, and threats has led many organizations to request a penetration test of their technical infrastructure—without really knowing what that means, what its purpose is, and what degree of assurance it really offers.

When I ask if they have already conducted a security assessment, know their controls, have implemented regular vulnerability scanning, and have security auditing procedures in place, they usually respond with “That’s what we’re asking for. We want a penetration test”. In this way, penetration testing and all the other components of cybersecurity plans have become synonymous terms. This conflation is especially prevalent in small to medium-sized firms. However, each component is separate and distinct within a mature security program all serving different purposes, leveraging different methodologies, providing different levels of assurance and benefits, requiring different skills from the assessor, providing different deliverables, and are performed at different stages of a security program’s development. In order to reap the most benefit from a penetration test, the organization should be able to answer the following five questions based on the previous maturity assessment, security risk assessment, and security audits.

  • Do we know what is connected to our systems and networks at all times?
  • Do we know what software is running, or trying to run, on our systems and networks?
  • Are we continuously managing our systems using “known good” configurations?
  • Are we continuously looking for, and managing, “known bad” software?
  • Do we limit and track the people who have the administrative privileges to change, bypass, or over-ride our security settings?

A penetration test is an attempt to defeat boundary defenses and gain access to an organization’s internal network by exploiting vulnerabilities. This test is used to determine whether an unmitigated risk exists. In this sense, it tests whether an outside attacker could bypass perimeter controls, gain access to the internal network, and establish command and control capabilities. Many techniques can be employed during a penetration test including vulnerability scanning and social engineering attacks.

Social engineering attacks are targeted at exploiting the human vulnerabilities in an organization. Spear phishing emails, unauthorized issuing of credentials, and taking advantage of physical vulnerabilities can all be examples of ways in which an assessor will use social engineering during a penetration test.

If a security assessor is unable to stage a successful penetration test, this confirms that, taken as a whole, internal controls are operating effectively to externally protect the organization from threats. With these results, management may mistakenly assume that the organization is secure. However, unlike broader security audits, a penetration test provides limited assurance to a specific point in time. Depending on the timeline, results could vary substantially. A penetration test conducted one day could fail to reveal serious vulnerabilities that appear the next day. Risk levels are always changing, which is part of why a complete understanding achieved through maturity assessments, security assessments, security auditing, and regular vulnerability scanning is so critical. Penetration testing provides only a glimpse of an organization’s overall security posture.

Ultimately, a penetration test is only a fraction of developing a strong cybersecurity plan. However, the fact remains that it is very important and these tests are frequently required for compliance with regulations. A penetration test’s objective is essentially to circumvent security controls, providing a different perspective than other security audit measures. Therefore, penetration testing may uncover issues that a traditional security audit or assessment may not.

In conclusion, complete security plans incorporate a number of factors, all of which are important in establishing a strong cybersecurity posture. Each stage and technique of the process ought to be regularly conducted in order to provide baselines and comparisons for improvement. But it should be noted that in spite of an organization’s best efforts, no security policy is perfect. Given the constantly changing nature of technology and its inherent risks, security policies have to evolve to meet the demands of our digital landscape.

The Components of Strong Cybersecurity Plans Part Five: Penetration Testing Click To Tweet

Information Security (InfoSec) for the Compliance Professional [SlideShare]

by Leave a Comment

By Doug Stupca
Social Media Coordinator at SCCE/HCCA
Original Presentation by Jim Donaldson

Here is “Information Security for the Compliance Professional” from the 2016 Compliance & Ethics Institute on our SlideShare page. This presentation highlights:

  • Security from the ground-up – Understanding the necessary elements of every InfoSec program regardless of organization size and complexity.
  • You can’t have privacy without an effective InfoSec program – how to hardwire your privacy and InfoSec efforts for ultimate data protection.
  • It’s all in the documentation – how to document your InfoSec program in a way that demonstrates compliance.

Enjoy!

The 2017 Compliance & Ethics Institute will be held October 15 – 18 in Las Vegas, NV.  Details here.

5 Ways to Enhance Information Security Compliance

by Leave a Comment

john_o_brienBy John O’Brien
JOBrien@interactiveservices.com

Before writing this article, I typed the term ‘security hack’ into Google. And the results? Over 160,000 articles. But you probably know this already if you work in the public sector or regulated industries such as utilities, legal or financial services.

This article highlights five ways to take your information security compliance to the next level. These principles are not simply about protecting yourself against prosecution from information security regulators, but they can also safeguard against reputational or financial damage to your organization.

  1. Information Security Policy Compliance Training

Every organization is obliged by law to have an information security compliance policy in place that provides a range of steps and measures to be followed and adhered to. If these policies are not in place and in practice, regulators reserve the right to prosecute your business.

But compliance is not just about having a policy in place – it needs to be a living, breathing part of the organization, and the most direct route to this is by providing formal compliance training. Training needs to be addressed at all staff levels, and should be updated regularly to take new risks or new responses into account.

  1. Access Prevention

Prevention is better than cure, so you need to constantly focus on the security measures you put in place to prevent unauthorized access to sensitive data. This could be anything from updating your level of encryption to improving the storage security of administrative passwords. Access allowance and rules should also be made clear to all employees as part of their regular Information Security Compliance Training programs.

  1. Carry Out Regular Audit Reports

The threats to security are continuously changing and evolving, so it’s important that your organization carries out regular audit reports to assess the robustness of your information security – and the measures you’re taking to keep it up-to-date. If it can’t be measured, it can’t be managed – so having an accurate audit at regular intervals allows you to decide ‘what comes next’ in terms of your overall data security plan.

  1. Response and Remediation Plan

Plan for when a security breach will take place – rather than if it takes place. That way, you’re prepared for the worst, and can also have a detailed response and remediation plan in place. How effectively and how quickly you respond to a breach can define how serious your organization is about data security and protecting the reputation of your business. Your compliance training program should prepare employees for potential breaches and highlight the importance of being on high alert. Cyber-attacks on data security are now at an all-time high so being extra vigilant is essential.

  1. Have Insurance In Place

If you accept the premise that all organizations will eventually succumb to a security breach, it follows that you need to have formal insurance measures in place – both for your business and for any of your customers who may be impacted by the breach. Response expense coverage can help to quickly restore confidence in your organization through notification to impacted customers or clients, public relations costs, legal and liability expenses.

The repercussions of a data security breach could far outweigh the cost, time and effort involved in implementing an effective information security strategy. Taking precautions to safeguard the data of you and your customers is a matter of protecting the integrity, reputation and ongoing success of your business.

Is information security a priority for your organization? If not, it should be!

John is Marketing Manager for Interactive Services, an award-winning developer of compliance training solutions for the world’s leading organizations. Our Compliance Learning Center is an innovative compliance training solution that enables client organizations to access all of their employee compliance training content one platform – Information Security, Insider Trading, AML, ABC, Workplace Conduct and more.

Twitter: @Learn_IS

Email: jobrien@interactiveservices.com