How Pen Testing Can Help Maintain Industry Compliance
By: Rick Belisle, Managing Director at CISO Global
In 2021, damages attributed to cybercrime amounted to $16.4 billion a day, $684.9 million an hour, $11 million per minute, and $190,000 per second, according to Cybercrime Magazine. In the face of these alarming statistics, organizations are increasingly seeking ways to improve their security posture, turning to cybersecurity experts to help them fend off cyber-attacks.
A key way that organizations can proactively protect their networks, financial resources, and valuable data is by creating a Cybersecurity Culture through routine audits, employee security training, and organizational cybersecurity assessments. This ensures that the organization – at all levels –- maintains an active, on-going understanding of cybersecurity to help combat new cybercriminals and their methodologies and exploits as well as follows up-to-date best practices. One such best practice is to undergo regular penetration testing.
What Is Penetration Testing and How Can It Help My Organization?
Pen(etration) testing, also known as ethical hacking, is a simulated cyber-attack against an organization. Pen testers use the same techniques that hackers employ to evaluate how well the system’s security controls stand up to both internal and external threats.
A pen test plays an integral part in an organization’s Cybersecurity Culture by discovering weaknesses or vulnerabilities in the enterprise so company management can develop an implementation plan to remediate them. In highly regulated industries, such as health care and banking, penetration testing helps ensure companies remain compliant.
Pen testing generally involves five stages:
- Planning and reconnaissance: The pen tester determines the goals for the test and gathers intelligence on the systems.
- Vulnerability determination: The pen tester begins identifying potential vulnerabilities in the accessible systems and services.
- Validation and exploitation: The hack begins! Once the pen tester identifies potential vulnerabilities, the pen tester analyzes them to determine if they are valid issues and the extent to which they can affect the vulnerable system(s) and the overall environment.
- Pivoting: The pen tester attempts to find and target new systems using any access or privileges gained from the last step’s successful exploits.
- Analysis and documentation: The pen tester analyzes identified and validated vulnerabilities from an overall risk perspective and documents them in a final report.
Pen tests can also help an organization measure its incident response capabilities by tracking what attacks the pen test used and how the internal teams responded to them – these are known as Purple Team Exercises.
How Pen Testing Can Help Organizations Meet Regulatory Requirements
Many industries require companies in their sectors to adhere to specific regulations and compliance requirements/standards. Two specific types are healthcare’s Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the payment card industry’s Data Security Standards (PCI DSS). Though not always required, pen testing can help organizations working to meet HIPAA and PCI regulations to validate that they are complying with security-related controls.
The sections below provide more details about these industry regulatory groups and the role pen testing can play.
Cyberattacks on health care providers are almost constant; the number of ransomware attacks increased 94 percent from 2021 to 2022, and more than two-thirds of these organizations report being attacked. These organizations’ networks maintain large amounts of sensitive patient data, making them lucrative targets. Third-party vendors serving the health care industry are also attractive targets. Malicious actors can attack the vendor to gain access to valuable data as well as to abuse the vendor’s privileged access so it can infiltrate all the health care provider clients the vendor serves.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the federal law that governs the privacy, safety, and electronic exchange of medical information. To remain compliant with HIPAA, health care institutions must perform regular technological tests of their data security.
Penetration testing can be valuable in assisting health care-related organizations with meeting HIPAA Evaluation Standard § 164.308(a)(8), which requires a thorough assessment of the health care provider’s potential risks and vulnerabilities. Essentially, a penetration test provides validation that the controls defined in the documentation have been implemented effectively and are working as described. And although pen testing is not specifically mandated by HIPAA, the National Institute of Standards and Technology (NIST) has issued additional guidance (NIST 800-66) for HIPAA that states, “[c]onduct penetration testing (where trusted insiders attempt to compromise system security for the sole purpose of testing the effectiveness of security controls), if reasonable and appropriate.”
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store, or transmit credit card information maintain a secure environment.Companies are required to undergo penetration testing at least annually as well as after any significant change as part of the standard.
PCI DSS stipulates that the scope of the penetration test must include “the external perimeter (public-facing attack surfaces) and the internal perimeter of the CDE (LAN-LAN attack surfaces).”
The PCI Security Standard Council’s guidance states organizations should examine the results from the most recent penetration test to verify that it:
- Is based on industry-accepted penetration testing approaches (for example, NIST SP 800-115)
- Includes coverage for the entire CDE perimeter and critical systems
- Includes testing from both inside and outside the network
- Includes testing to validate any segmentation and scope-reduction controls
- Defines application-layer penetration tests
- Defines network-layer penetration tests to include components that support network functions as well as operating systems
What Do I Need to Consider When Choosing a Penetration Testing Company?
Staying compliant in a highly regulatory environment means keeping up with the latest cybersecurity strategies. Calling in a third-party penetration testing company is a great way to ensure your data stays protected. Though many organizations conduct a penetration test annually or every 6-months, scheduling more frequent testing will greatly lower your risk profile.
Here are things to consider when choosing the pen testing company that best fits your needs.
- Make certain the pen testing team is experienced in your industry.
- Check that the pen testing team has extensive experience specializing in pen testing and/or has credentials such as the EC-Council Certified Security Analyst (ECSA), Licensed Penetration Tester (LPT), Offensive Security Certified Professional (OSCP), or Certified Ethical Hacker (CEH) to help validate their skillset.
- Ensure that they will share the documented process they use for the pen test.
Let us know how we can be your trusted Pen Testing partner – contact CISO Global to speak with our team of experts.