The Value of Network Penetration Testing
In a recent online periodical, the owner of a Minneapolis-based retailer lamented the fact that his business's website had been compromised in spite of paying a “managed security services provider $6,000 per year to continuously hack away” at the company’s servers to ensure they were staying abreast of the latest security vulnerabilities.
For a lot of business owners, $6,000 may feel like a solid investment, but the service this owner got in return was not comprehensive. He was receiving an automated vulnerability scan that produces a general test of the computer system — but it wasn't specific to his unique enterprise. It would be like expecting a general physician to diagnose a rare genetic disorder.
What the business really needed was network penetration testing. A penetration test involves a group of ethical, experienced "white hat hackers" who are hired to break into your systems to reveal your specific security gaps. Such in-depth testing identifies weaknesses that can be exploited, and exceptions to otherwise sound practices and configurations. The results should be used to design or improve your security program.
Make sure that you are engaging professionals who have the skills and experience necessary to properly test e-commerce and marketing websites, whenever those systems or sites are changed or updated (this is a requirement for PCI credit card security compliance). Here are more ideas to help:
- Closely monitor online and internet-facing systems for usual activity and changes.
- Regularly test internet-facing systems for vulnerabilities, and to ensure the continued use of secure coding practices. This testing should be performed by experienced individuals that are independent of the system administration role.
- Keep current on technical defensive measures such as firewalls, intrusion detection systems, spam filters, antivirus software, and security update patches.
- Ensure that online systems that are hosted by a service provider are regularly tested. Require the service provider to provide you with a SSAE 16 SOC report to ensure they are following sound practices that meet your needs.
How we can help
Business owners are in a challenging spot because there is no magic bullet to manage online payment risk. A network penetration test is just one component of a multi-layered security management program. So much relies on the integrity of your data — from functional areas to customer communication — that cost-effectively managing and mitigating those risks must be a priority.