• Solutions
  • Solutions Overview
    • About Our Solutions
    • Determine Exposure to Real-World Threats
    • Perform Continual, Automated Testing
    • Assess Security Across IT Layers
    • Validate Security Controls
    • Connect Security Data to Business Risk
  • Solutions by Industry
    • Financial Services
    • Government
    • Health Care
      • Respond to the HITECH ACT
      • Validate HIPAA Compliance
      • Limit Unauthorized Insider Activities
      • Maximize limited security staffing
      • Drive down Web-based Security Risks
      • Insulate Your Networks from Unauthorized Devices
      • Diminish the Impact of Social Engineering
      • Validate security investments
    • Higher Education
      • Overview
      • Assess exposure to potential data breaches
      • Insulate networks from unmanaged devices
      • Limit unauthorized insider activities
      • Drive down web-based security risks
      • Maximize limited security staffing
      • Diminish the impact of social engineering
      • Validate security investments
      • Meet compliance demands
    • Retail
  • Solutions for Compliance
    • CAG
    • FFIEC
    • FISMA / NIST
      • NIST 800-137
      • NIST 800-39
      • NIST 800-53
    • GLBA
    • HIPAA
    • PCI
    • SOX
    • Validate Security Controls
• Products
  • Products Overview
  • CORE INSIGHT Enterprise
    Security Intelligence Solution
    • Overview
    • How It Works
    • Dashboards
    • Reports
    • What's New
    • Demos
      • CORE Insight Videos
    • Data Sheets and White Papers
    • Comparing CORE INSIGHT to CORE IMPACT
    • How to Buy
  • CORE IMPACT Pro
    Penetration Testing Software
    • Overview
    • What It Tests
      • End-User Security Awareness
      • Endpoint Systems
      • Mobile Devices
      • Network Devices
      • Network Systems
      • Web Applications
      • Wireless Networks
      • IPS/IDS, Firewalls and Other Defenses
      • Vulnerabilities Identified by Scanners
    • Commercial-Grade Exploits
      • Overview
      • Recent Exploits and Updates
      • How Our Exploits Work
      • About Our Client-Side Exploits
      • About Our Agents
    • Vulnerability Scanner Integration
    • Reporting
    • What's New
      • Version 12.3
      • Version 12
      • Version 11
    • Demos
      • Impact
    • Data Sheets, White Papers and Other Resources
    • Intro To Penetration Testing
      • What Is Penetration Testing?
      • Comparing Security Testing Options
      • What To Look For
      • Independent Penetration Testing Resources
      • Conducting Penetration Tests
    • Comparing CORE IMPACT to CORE INSIGHT
    • Training, Certification and Support
    • How to Buy
  • Core WebVerify Web
    Application Security Testing Software
    • Overview
    • Web Application Vulnerability Coverage
    • WebVerify vs. Scanners
    • Reveal Implications of Application Vulnerabilities
  • Core CloudInspect Cloud Security Testing for AWS
  • Demos and Evaluations
  • The Research Behind Our Products
  • Why Our Products are Safe
  • How to Buy
• Services
  • Services Overview
  • Core Security Consulting
    Services
    • Overview
    • Comprehensive Penetration Testing
    • Application Penetration Testing
    • Web Services Security Assessment
    • Source Code Auditing
    • Wireless Penetration Testing
    • Leading-Edge Technology Testing
    • How to Buy
  • CORE IMPACT Professional Services
    • Overview
    • Web Application Penetration Testing Services
    • Network Penetration Testing Services
    • Client-Side Penetration Testing Services
    • Wireless Network Penetration Testing Services
    • Benefits
    • How to Buy
• CoreLabs Research
  • CoreLabs Overview
  • Research Projects
  • Advisories
  • Publications
    • Presentations and Papers
    • Journals and Magazines
    • Internet Articles
  • Open Source Projects
  • CoreLabs Extranet Site
• News & Events
  • News & Events Overview
  • Events and Webcasts
    • Webcasts
    • Conferences
    • Speaking Engagements
  • News
    • Press Releases
    • In The News
  • Reviews
  • Awards
• Partners
  • Partners Overview
  • Strategic Partners
    • Business Partners
    • Technology Partners
  • Training Partners
    • CICT Training and Certification
  • Using Core's Products in Your Consulting Practice
• Company
  • Company Overview
  • Management Team
  • Board of Directors
  • Customers
    • Success Stories
  • Careers
  • Contact Us
• Blog
• Customer Portal

• News & Events

• News & Events Overview

• Events and Webcasts
  • Webcasts
  • Conferences
  • Speaking Engagements

• News
• Press Releases
• In The News

• Reviews

• Awards

SHARE

With Larry Pesce, manager, IT security, Care New England Health System.

Question: Can you briefly explain how penetration testing works?

Pesce: A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities.
Penetration testing, or the process of safely "attacking" a network from the outside in — as a hacker would — has become a must-have for health care organizations. Specifically, Care New England Health System uses automated penetration testing software to evaluate the effectiveness of its security investments and policies to ensure HIPAA compliance.

Question: When choosing testing tools, what should a company look for?

Pesce: When choosing a technology, companies should choose a product that definitively identifies real risks to their networks and assesses the performance of their security investments. For example, Core Security's CORE IMPACT penetration testing product allows us at Care New England to safely exploit vulnerabilities in the network, replicating the kinds of access an intruder could achieve, and proving actual paths of attacks that needed to be eliminated. The ability to determine if a vulnerability has any real impact on corporate information assets serves as a major time-saver, enabling companies to prioritize the IT team's remediation work and eliminate wasted efforts on false positive results from other security products.
Companies should also look for a product with automated reporting capabilities. By automating the previously manual and expensive penetration testing process, [the product] has helped improve Care New England’s security while reducing costs.
Companies rely on penetration testing to test the security of their networks and determine which security procedures and products are doing their job and protecting the company, as well as find out what areas could be improved. By using CORE IMPACT, we were also able to evaluate and test the effectiveness of our IDS and IPS solutions by safely launching real-world intrusion events crafted by trusted developers at Core Security. IMPACT helped us determine if our existing security expenditures were an effective use of our budget.

Question: How does penetration testing further HIPAA compliance efforts?

Pesce: HIPAA legislation now determines the way that health care institutions must implement, monitor and audit the security that is employed to protect information stored on their computer networks. In most cases, these organizations are required to implement new information security policies and procedures and to deploy new products in order to bring themselves into regulatory compliance.
My first step in determining where Care New England stood in relation to HIPAA compliance was to conduct a gap analysis of our computer network. This process took all the applicable rules and regulations from HIPAA and applied them to Care New England's security policies and procedures. After a lengthy review, we determined that the security mechanisms currently in place would not satisfy all aspects of the HIPAA regulation. One of the major recommendations that resulted from this analysis was to begin performing regular security audits of the Care New England IT network. From my experience, I knew the only way to get the audit results I needed would be to start performing regular penetration testing to get the most accurate view of our network and provide us with the precise audit information we would need to satisfy our legislative and corporate policy requirements.
However, we now needed to be able to conduct penetration testing as a permanent part of our ongoing IT security process. What we wanted to do and what we could afford to do were two different things. We didn't have the manpower to integrate regular penetration testing into our security strategy and we couldn't afford to hire expensive consultants. The challenge was to find a cost-effective, easy-to-use product with automated reporting capabilities that allowed us to perform regular penetration testing.
We found exactly what we were looking for in CORE IMPACT. The product enabled us to replace the inconsistent, manual penetration testing tools we had previously used with a state-of-the-art, automated penetration testing product that delivered immediate benefits.
For example, proactively testing our network ... we discovered and fixed a potential help desk and IP telephony problem that could have been very detrimental to how we service our customers.

Source: IT Business Edge
http://www.itbusinessedge.com/item/?ci=16382