Penetration tests are one of the best ways to safeguard your business against security breaches and service interruptions. A security penetration test is an effort to evaluate the security of an IT infrastructure by attempting to exploit system vulnerabilities. These exploits may look for unpatched holes in your operation system, application flaws, improper system configurations or even exploitable behavior from your employees.

When these tests are preformed proactively and with the authorization of the owner of the IT infrastructure, it is considered a White Hat penetration test. White Hat penetration tests use the same methods that would be employed by an outside attacker, but has the added benefit of being conducted in a safe environment without threat to your personal data. While these tests may seem invasive, the goal is to identify weaknesses within a system so that they can be addressed before they become exploited in the wild. A successful penetration test allows a legitimate security professional to address common security mistakes and make suggestions for tighter security if an easy fix is not available.

PCI/HIPAA Regulatory Compliance

Beyond making good business sense, Penetration Testing is a requirement for any organization that falls under the umbrella of PCI and HIPAA regulation. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires healthcare institutions to implement appropriate safeguards to protect electronic Information from “reasonably anticipated threats and hazards”. Similarly, The Payment Card Industry Data Security Standard (PCI DSS) set a series of standards to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.

Health Organizations that fail to meet HIPAA requirements can face fines of up-to $50,000 per individual violation and may incur a maximum penalty $1.5 million per calendar year. PCI compliance is less regulated but can result in lawsuits, insurance claims and government fines in the case of a mass user security breach. The good news is that penetration testing satisfies all of HIPAA’s risk assessment requirements and meets similar compliance requirements for PCI.

How Often Should You Conduct a Penetration Test?

Penetration testing should be performed on a regular basis to ensure consistent IT and network security management and reveal and newly discovered threats or emerging vulnerabilities may be exploited by attackers.

In addition to regularly scheduled analysis and assessments required by regulatory mandates, tests should also be run at-least twice a year or whenever:

  • New network infrastructure or applications are added
  • Significant upgrades or modifications are applied to infrastructure or applications
  • New office locations are established
  • Security patches are applied
  • End user policies are modified

Check back next week for a look at the different types of penetration tests and how to identify a legitimate vendor for your testing needs.