Penetration Testing: Assess Potential Security Vulnerabilities
In today’s complex security landscape, new threats emerge on a regular basis, and more vulnerability exists than ever before. The security professionals at Veristream perform rigorous penetration testing (also called pen testing) on enterprise networks using iVisitor, iSiteAccess, and access management solutions. For a variety of reasons – ranging from compliance to enhanced vulnerability and threat intelligence – pen testing is a critical component to developing and operating a secure visitor management environment.
A penetration test is a highly-specialized, security-specific verification of system controls, and can range from testing network and application access controls to software code and IT operational processes. The most effective visitor management security solutions recommend routine testing of the system’s vulnerabilities.
For critical enterprise vendor-managed inventory (VMI) systems dealing with sensitive data, additional testing methods are implemented to identify security vulnerabilities. These testing methods may also be a requirement for compliance with applicable regulations or policies. For instance, HIPAA requires thorough assessments of risks and vulnerabilities to electronically protected health information. According to general security best practices, this should include a technical assessment like a penetration test. The Consensus Audit Guidelines (20 Critical Controls) from the SANS Institute also recommends pen testing.
Your company staff should perform regular system and network tests to augment occasional specialist security provider testing. The specialist security service provider can audit the effectiveness of the in-house testing during its annual or semi-annual analysis. Veristream also encourages enterprises to test themselves.
Proactive versus Reactive
Proactive scanning evaluates a substantial assessment of system security against known risks, provides a roadmap of effective countermeasures for addressing vulnerabilities and provides simple enterprise risk quantification. On the other hand, reactive scanning allows for threat quantification and assessment, swift damage control, and an estimation of systems of reasonable control measures during a repair or a rebuilding process.
Penetration testing provides a separate and distinct set of testing activities in comparison to other system security tests, with a primary focus on exploiting (not just observing or assessing) security vulnerabilities. The enterprise must define the scope of the testing before it begins.
Full-scale versus Targeted Testing
Whether to run a pen test on a full-scale or targeted level is determined by whether the enterprise security team wants to test the entire network or target specific devices, such as the firewall. It is usually best to do both to develop a clear picture of the level of exposure to the public infrastructure and the security of individual targets. Firewalls, routers, Web servers, mail servers, FTP servers, and DNS servers are just some of the targets that you should consider.
Remote versus Local Testing
Another consideration is whether the testing will be performed from a remote location across the Internet or via the local onsite network, which is determined by the targets selected for testing and the current security implementations.
A penetration test doesn’t simply uncover vulnerabilities. It takes security testing to the next level to actively exploit those vulnerabilities to prove (or disprove) real-world attack agents against an organization’s human population, IT assets, data and physical security. Contact Veristream, your enterprise penetration testing experts, and let us help you improve your security and your business.