Going Beyond Compliance

by Jeff Ahlerich, Director, Professional Services, Coalfire

Perhaps it’s stating the obvious to say that penetration testing is an important exercise for just about any company today. What might not be so obvious is that a bare minimum pen test may not uncover critical vulnerabilities that expose your organization to potentially business-threatening risks. While meeting compliance requirements will make you less likely to experience a breach, compliance, as we all well know, does not equal security. When you consider that the average organizational cost of a data breach is $6.75 million (according to the most recent study by the Ponemon Institute), is it enough to simply meet your compliance obligations? In reality, simply checking the “compliant” box can ultimately leave you with a false sense of security.

Proactive vs. Reactive
Unfortunately, some of our clients have had to react to a serious data breach incident. This is always a costly and disruptive emergency situation. Even if you have a vendor like Coalfire to help with an incident response the damage is done, and the most you can hope for is reasonable containment. However, there are steps you can take that can diffuse a disaster before it happens. Proactive, in-depth penetration testing or vulnerability assessments are designed to uncover critical weak points before it’s too late. As painful as an IT audit or penetration test may feel while you’re going through it, it pales in comparison to the stress and stakes involved in a serious data breach.

The Human Advantage
Today, system security is commonly measured by performing routine, automated vulnerability scanning. While scanning certainly has its place in maintaining a healthy, secure infrastructure, it shouldn’t be looked upon as a silver bullet for identifying addressable weaknesses. Automated scanning cannot adapt to unique circumstances or environments. It cannot think as an adversary with malicious intent. The most effective penetration testing is conducted by a living, breathing human being who is supported by the latest technology. Expert penetration testers are trained not only on the latest systems and networks, but they also bring experience, intuition, and an intimate knowledge of how unintentional and intentional breaches really happen. They understand human behavior and criminal tactics and can apply them to your technology as well as to your physical facilities to see just how protected (or unprotected) you are.

Testing in Practice
At Coalfire, we were recently hired by a Level-1 merchant to apply our ethical hacking to the PCI zones of their network in search of weak spots. Our initial testing allowed them to check their compliance box. However, digging a little deeper, and, pardon the pun, “thinking outside the box”, our analyst found a nearly undetectable hole in a low-priority web application. This flaw allowed him to capture and copy customer records complete with email, land mail, and telephone information. Fortunately, the database did not contain any credit card information, but in the wrong hands, the accessible data would have put customers at risk for spamming, phishing, and fraud. Because this company recognized the need to go beyond compliance, they were able to patch the hole in the application and eliminate the threat of a breach at a minimal cost in one day.

Effective penetration testing is necessary to meet certain compliance requirements. However, compliance will only get you started on the path to true data security. While it’s easy to check the compliance box with minimal penetration testing, Coalfire goes beyond the “drive-by” pen test and digs deeper in order to safeguard your data. Of course, no one is ever 100% protected, but forward-thinking businesses that go beyond the minimum scope will be more secure.