How Pen-Testing Protects Your Federal Agency

It seems as if government agencies, both locally and nationally, are making headlines for mostly the wrong reasons these days. From scandals to breaches and cybersecurity this has become such a sensitive subject within the past year that these events have left most folks feeling even more on edge. As stated by Thales Data Threat Report, within the past year alone, 33% of government agencies reported that they experienced a data breach. Not to mention the ones that have remained unnoticed, for now at least. But what if you had proper security initiatives in place to keep you even the slightest bit ahead in cyberspace? Maybe you and the ones you serve could breathe a bit easier?

Pen-testing your system helps protect the people you are serving both state and locally – as well as the image and trust you have publicly. Let’s look at what regulations you as a Federal agency are mandated to follow.

What the National Institute of Standards and Technology (NIST) Says About Pen-Testing

The working definition of a penetration test from the NIST is, “A test methodology in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system or network.” The information you can gather from a pen-test can vary in terms of where the weaknesses are in your organization – but it can also tell you a bit more about how you would fare against different types of attacks and attackers. Knowing you can handle sophisticated attacks alludes to the fact that are working out of a healthy security posture. Alternatively, if a novice attacker is causing you trouble, you may want to look at implementing different programs or cracking down on current ones. This alone should grant you a bit of relief in that there is a tool in which you can test and see how your network holds up against a potential attack – but safely and before it actually happens so that you can properly remediate any weak points in your network.

Not only does NIST SP 800-115 discuss what a pen-test is in section 5.2, but it also suggests a way to attack pen-testing in your environment so that everything gets taken care of to the full extent. Here they suggest breaking your pen-test into four phases; planning, discovery, attack and reporting.

• Planning is meant for laying out the landscape of what you hope to accomplish in your pen-test and setting some goals around what you hope to unearth.
• Discovery is where you actually test and gather the information. At this point you’ll also want to do a vulnerability assessment. Doing so will put some context around what you discover this phase and what sort of vulnerabilities you are facing.  
• Then moving into the attack phase, you will exploit the vulnerability to ensure that one actually exists.
• Finally, reporting. Though reporting is included in each phase, your final report should be a detailed document describing identified vulnerabilities, the risk score that helped to prioritize the risks that were discovered.
   

How Pen-Testing Protects You and Those You Serve

If you avoid your pen-tests – or don’t act on behalf of what is uncovered in a timely fashion – you could be in deeper trouble than you thought. Yes, we encourage you to pen-test to meet regulation needs, but use this as a means to protect yourself and those you collect data from.

Without a pen-test, you won’t have a full understanding of your organization’s security posture. Pen-tests provide an in-depth look at your IT infrastructure, allowing you to see the vulnerabilities that pose the biggest threat to your environment. With the ability to prioritize your remediation efforts, you will be operating in a controlled manner and tactfully attack pressing threats.

If you were to completely avoid pen-testing altogether, you would be facing heavy penalties or fines and in turn, making headlines for the wrong reasons. Your organization should want to be able to market their compliance – especially those regulations outlined in NIST. Doing so will help you avoid extra costs due to fines for not adhering to a protocol set for the entire industry. Ultimately, this could be what damages your public image to your local community and beyond – and follow you for much longer than you had thought possible. Make it your goal to make headlines for positive reasons and your community will only become more loyal.