Penetration Testing: Adding Value to Your Security Posture
October 9, 2017
As you strive to make HIPAA compliance one of the most important aspects of your organization, you likely have technology and procedures in place to protect yourself from data theft. 2017 has seen tons of ransomware attacks, and you don’t want to be a victim, too. You update patches regularly, and perform a new risk assessment at least once a year – but can you protect yourself from every security weakness?
This week, we’ll discuss how to protect your network and PHI through penetration testing, with pointers and help from Drew Green, Director of Information Technology and Security Services at Thomas, Judy, and Tucker. Green leads the penetration testing effort offered through Total HIPAA, and we recently interviewed him to have him share his vast knowledge of penetration testing.
What is Penetration Testing?
You may have heard penetration testing called ‘pen test’ or ‘ethical hacking’. It’s when someone acts like a hacker – they analyze network environments, identify potential vulnerabilities, then purposely exploit those vulnerabilities. Pen testers are on your side, and the vulnerabilities they test for may exist in operating systems, services and application flaws, improper configurations, or risky end-user behavior. Pen tests can be automated by using software applications, or they can be performed manually. The process includes gathering information about the target before the test, identifying possible entry points, attempting to break in, and reporting back the findings. The main objective of penetration testing is to determine security weaknesses.
It’s important not to confuse penetration testing with vulnerability testing. Green advises that many companies advertise penetration testing when what they’re really selling you is a vulnerability scan. Vulnerability scans involve automated software that scans the network. While they’re helpful in some instances, they don’t actually try to hack into you.
Penetration testing is an integral part of your compliance plan. On top of being a requirement for HIPAA compliance, the increased number of healthcare record hacks and the resulting costs make penetration testing an increasingly valuable necessity.
Why is Penetration Testing Important?
The HIPAA standard – 45 CFR 164.308(a)(8) – explains that you need to perform periodic technical evaluations of your systems. “The increased number of hacks of health records and the resulting costs makes penetration testing an integral part of a comprehensive HIPAA compliance plan,” states Jason Karn, Chief Compliance Officer at Total HIPAA.
Does your organization really need this type of testing? Green states, if your company deals with sensitive information like payroll records, financial records, medical records, legal resources, or even intellectual property that, if released, could be an advantage to a competitor – you need it. Green suggests conducting a business risk assessment, which will probably show that your information is sensitive and it needs protecting. “If you look at penetration testing as an insurance policy, so to speak, you’ll likely see that it’s going to be worth the investment.”
Organizations need to conduct regular penetration testing of their systems for the following key reasons1:
- Gives security personnel real experience in dealing with a hack. A penetration test should be done without informing staff, which allows an organization to test whether its security policies are truly effective.
- Uncovers aspects of security policy that are lacking. For example, many security policies give a lot of focus to preventing and detecting an attack on an organization’s systems but neglect the process of evicting an attacker. You may uncover during a penetration test that while your organization detected attacks, security personnel could not effectively remove the attacker from the system before they caused damage.
- Provides feedback on the most at-risk routes into your company or application. Penetration testers think outside of the box – they attempt to get into your system by any means possible, like a real-world attacker would. The reports generated by penetration tests provide you with feedback on prioritizing any future security investment.
- Reports can be used to help train developers to make fewer mistakes. If developers can see how an outside attacker broke into an application or part of an application they helped develop, they will be more motivated to improve their security skills and avoid making similar errors in the future.
It’s important to remember that a penetration test is only as good as what you do with the results of the report. If you do not make changes to your security based on the report findings, you may as well not have penetration testing performed at all.
Who Should Perform Penetration Testing?
Regardless of whether your penetration tester is in-house or is a third party, you need to make sure they use the correct methodology when conducting the test. Green suggests to first look for what certifications they have.
The OSCP (Offensive Security Certified Professional) certification is one of the most trusted when it comes to actual penetration testing. Green says, “The CISSP (Certified Information Systems Security Professional) is a more management focused certification that you probably want at least somebody on the team to have in order to ensure that they are going to correctly translate everything discovered a way that management can consume.” Green goes on to say that the CEH (Certified Ethical Hacker) is not a great certification for practical penetration testing. If that’s the only certification someone has, you might want to think twice about going with them. While there’s certainly nothing wrong with a CEH certification, the more advanced technical certifications like the OSCP are more hands-on, and better suited when selecting a pen test provider.
How Often Should a Penetration Test Be Performed?
It’s recommended that penetration tests are performed on an annual basis. Many small to medium-sized practices and companies might have a hard time making that type of financial commitment, but the alternative can be quite costly. Penetration tests start at $1500, depending on the provider, and types of systems tested. This is significantly cheaper than mitigating a hack, which can run in the tens of thousands of dollars for a small to medium sized practice or company. Green recommends that penetration tests be performed any time that there’s a network change. For instance, if there’s a new firewall installed, or if an IT vendor has altered your system. And if at all possible, you’ll want to perform a comprehensive penetration test at least every three years.
A penetration test is the best way to determine your real-world security posture. While HIPAA regulations do force you to be compliant, they don’t guarantee security. They serve as a great set of checklists towards a secure organization and clearly provide value, but they don’t take the place of true security.
“Penetration tests are an integral part of a full security audit which should be conducted on a regular basis,” explains Green. Total HIPAA penetration testing replicates techniques used by hackers to determine how a system will react to an attack, identify weaknesses, and determine what information can be acquired. Penetration testing is performed from multiple angles: against public-facing servers via the Internet, and against internal systems from within the network. In-depth scans are performed against servers identified in the research process to determine exactly what software is exposed to the outside world. Using a combination of open-source and proprietary hacking tools, attacks are carried out on these systems, attempting to gain unintended access to the servers.
Upon completion of testing, a detailed report is produced which includes a summary of steps taken to infiltrate company systems, missing/ineffective controls, action-items to secure the business organized in a timeline based on severity, and technical data to assist with remediation.
Three levels of testing are available:
- Silver – This service is recommended for smaller organizations operating a public website that might include an e-commerce storefront. Testing includes evaluation of the security of the public facing servers or a remote-access server.
- Gold – Recommended for small- to medium-sized organizations of 10 to 250 employees with internal file and email servers, user workstations, and wireless networks, laptops, and mobile devices, and network security devices such as routers and firewalls. There may be more than one physical location.
- Platinum – In addition to the network tests covered in Silver and Gold levels, this testing expands the vulnerability assessment and penetration test to include physical controls such as cameras and locks, networked devices such as printers and scanners, and 3rd-party cloud services such as Dropbox and Salesforce. The Platinum level service also includes a Certified Ethical Hacker conducting these services on-site. This addresses the needs of medium to large organizations that require a more in-depth look at their security.