An Overview Of Penetration Testing

Posted on August 18, 2017 · Posted in Uncategorized

State Regulators Are Moving to Make Prudent Cyber Security Mandatory

According to LAW360 “Cybersecurity risk pervades all sectors of the economy. Federal regulators have sought to address this risk through guidance, rulemakings and enforcement actions across multiple industries. A series of widely publicized data breaches, the Trump administration’s ongoing regulatory review, and an impending executive order on cybersecurity have redirected a spotlight on the merits, disadvantages and pitfalls of regulation in this field. State legislatures and regulators have also moved in this area. In some instances, state rules apply to specific sectors; the New York Department of Financial Services’ (DFS) recently issued regulations targeting the financial and insurance industries”.

“More than a dozen other states have enacted cybersecurity requirements that sweep far broader, in some cases touching millions of individuals and businesses. Penetration testing is generally for businesses that already have an established IT security policy and system that they are happy with. While they feel their servers are fairly secure, they are still concerned that a particularly skilled or determined hacker might get access to their valuable data or might be able to cripple vital infrastructure by using their systems.”

Penetration Testing is a Critical Part of Any Cyber Security Program

An Overview Of Penetration Testing

Penetration testing provides an accurate evaluation of your organization’s risk for data breach.

Penetration Testing means a test methodology in which assessors attempt to circumvent or defeat the security controls of an organization’s IT systems and networks.   Penetration testers are legal and legitimate teams of cyber security professionals hired and sanctioned specifically to try to exploit weakness and gain access to the subject network.

Vulnerabilities are then researched and reported on so that they can be remediated through patching of applications, patching of operating systems and locking down other aspects of the environment that are publically visible to the world.

Both large and small organizations usually contract out to specialists who attempt to penetrate the network remotely. Though this is important in visualizing a security breach scenario from a true outsider’s perspective, internal penetration testing is equally important and often is a requirement of many cyber security frameworks such as HIPAA and PCI compliances.

Penetration testing has been performed on government and military servers since the 1960s, but there was little reason for other organizations to worry about it until internet accessibility exploded in the 1990s. Since then it has become one of the top cyber security tasks and it became virtually mandatory for cyber security frameworks such as CIS Top 20, NIST, and ISO27000.

The NetWatchman Penetration Testing Process

  • Discover and map all visible network devices/applications
  • Identify and remediate network security vulnerabilities
  • Potentially exploitable vulnerabilities and services
  • Out-dated software, services, and operating systems
  • Un-patched or out-of-date security anomalies on hosts
  • Measure and manage overall security exposure and risk
  • Ensure compliance with internal policies

The Penetration Test report provided after the scanning and analysis has been conducted, is an easy to understand and comprehensive technical explanation of the real and possible threats that exist within the subject organization. In addition, the report will include recommendations for remediation such as how to modify policies, update system configurations, and other necessary changes to best secure your network and systems.