RubinBrown Cyber Security Center of Excellence – Security You Need to Know

Testing your cyber security on a regular basis is part of a sound strategy to identify and eliminate risks in the environment. Penetration testing, or "white hat" hacking, tests the external and internal network to assess the effectiveness of controls. Whether you are demonstrating due care in addressing cyber security threats or addressing compliance requirements, penetration testing is a core component of regular security assessment efforts.

What is network based penetration testing? Network based penetration testing validates the ability to prevent and detect cyber attackers by assessing:

• The effectiveness of technical layers of security in your infrastructure (hardware), applications (software), and website
• The skillsets of your IT team or IT providers
• The awareness of your full team

Why perform penetration testing? Common reasons to perform penetration testing include:

• Due Care: testing your cyber security before the criminals do is part of a sound strategy for addressing cyber security risks
• Compliance Requirements: credit card processing, banking, credit unions, healthcare and critical infrastructure
• Best Practice: Annual testing is standard, best practice increases the frequency (2-4 times per year)
• Client Requirements: more and more clients are requiring vendors, suppliers and business partners to demonstrate their security due care by performing annual tests

How can penetration testing be performed? Penetration testing can be performed in a variety of approaches including:

• Full Disclosure: everyone on the team knows the testing is being done
• Compliance Required: credit card, healthcare financial and critical infrastructure require annual testing
• Limited Disclosure: used to test detection capabilities only a few in senior management know the testing is happening
• Red Team: the “final exam”, a team of experienced white-hats target the environment with a variety of logical, physical and social engineering attacks

Any of the above methods can combine social engineering, application security testing or other testing methods into the same approach. We recommend:

• Start with a cost effective risk assessment and vulnerability scan of the environment
• Develop a security testing plan including:
  • Identify potential cyber security insurance cost savings with a proactive plan
  • Change the breadth and depth of the testing to address critical areas
  • Synchronize the testing with annual training of your employees and technical teams

If you have questions or need assistance, please contact one of RubinBrown’s Cyber Security Services Group professionals.

^{Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.}

Published: 01/31/2018

_{^{Readers should not act upon information presented without individual professional consultation.}}

_{^{Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.}}