With Larry Pesce, manager, IT security, Care New England Health System.
Question: Can you briefly explain how penetration testing works?
Pesce: A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities.
Penetration testing, or the process of safely "attacking" a network from the outside in — as a hacker would — has become a must-have for health care organizations. Specifically, Care New England Health System uses automated penetration testing software to evaluate the effectiveness of its security investments and policies to ensure HIPAA compliance.
Question: When choosing testing tools, what should a company look for?
Pesce: When choosing a technology, companies should choose a product that definitively identifies real risks to their networks and assesses the performance of their security investments. For example, Core Security's CORE IMPACT penetration testing product allows us at Care New England to safely exploit vulnerabilities in the network, replicating the kinds of access an intruder could achieve, and proving actual paths of attacks that needed to be eliminated. The ability to determine if a vulnerability has any real impact on corporate information assets serves as a major time-saver, enabling companies to prioritize the IT team's remediation work and eliminate wasted efforts on false positive results from other security products.
Companies should also look for a product with automated reporting capabilities. By automating the previously manual and expensive penetration testing process, [the product] has helped improve Care New England’s security while reducing costs.
Companies rely on penetration testing to test the security of their networks and determine which security procedures and products are doing their job and protecting the company, as well as find out what areas could be improved. By using CORE IMPACT, we were also able to evaluate and test the effectiveness of our IDS and IPS solutions by safely launching real-world intrusion events crafted by trusted developers at Core Security. IMPACT helped us determine if our existing security expenditures were an effective use of our budget.
Question: How does penetration testing further HIPAA compliance efforts?
Pesce: HIPAA legislation now determines the way that health care institutions must implement, monitor and audit the security that is employed to protect information stored on their computer networks. In most cases, these organizations are required to implement new information security policies and procedures and to deploy new products in order to bring themselves into regulatory compliance.
My first step in determining where Care New England stood in relation to HIPAA compliance was to conduct a gap analysis of our computer network. This process took all the applicable rules and regulations from HIPAA and applied them to Care New England's security policies and procedures. After a lengthy review, we determined that the security mechanisms currently in place would not satisfy all aspects of the HIPAA regulation. One of the major recommendations that resulted from this analysis was to begin performing regular security audits of the Care New England IT network. From my experience, I knew the only way to get the audit results I needed would be to start performing regular penetration testing to get the most accurate view of our network and provide us with the precise audit information we would need to satisfy our legislative and corporate policy requirements.
However, we now needed to be able to conduct penetration testing as a permanent part of our ongoing IT security process. What we wanted to do and what we could afford to do were two different things. We didn't have the manpower to integrate regular penetration testing into our security strategy and we couldn't afford to hire expensive consultants. The challenge was to find a cost-effective, easy-to-use product with automated reporting capabilities that allowed us to perform regular penetration testing.
We found exactly what we were looking for in CORE IMPACT. The product enabled us to replace the inconsistent, manual penetration testing tools we had previously used with a state-of-the-art, automated penetration testing product that delivered immediate benefits.
For example, proactively testing our network ... we discovered and fixed a potential help desk and IP telephony problem that could have been very detrimental to how we service our customers.
Source: IT Business Edge