Answer

How penetration testing helps ensure a secure data store

Is a thorough third-party penetration test ultimately the best way to determine whether our data store, which contains customer data and is made accessible to several Internet-facing Web apps, can’t be accessed improperly?

    Requires Free Membership to View

Hopefully your data store has been developed using a secure development framework such as Microsoft’s Security Development Lifecycle (SDL). Embedding secure practices into its design and development from the beginning will have helped to create a fairly robust application. However, despite secure coding practices and static code reviews, errors can still make it through to the final version. Even if these aren’t serious, the way in which the data store is deployed and configured, and the environment in which it is running may mean it is still vulnerable to attack.

A penetration test is essential to determine whether your data store can be compromised once it is live and accessible to anyone with an Internet connection. You may have a secure data store, but the network on which the data store sits should be protected by perimeter defenses such as firewalls, intrusion detection systems and antivirus gateways. It’s important to test that these devices are performing as intended and are effectively safeguarding the network. The interaction of multiple devices, services and functions can generate unanticipated weaknesses during system integration or deployment, which can often only be found by subjecting the system as a whole to a pen test.

These tests can also assess the trust relationships between services and see how access points to the data store standup to attempts to exploit them as well as the ability of network defenses to successfully detect and respond to the tests. As a penetration test mimics the role of a potential attacker, it is the most realistic of the security tests that you can perform. This is why a penetration test is a mandatory requirement for so many regulations and standards, such as PCI DSS and ISO 27001.

Even if pen testers fail to access your data store, you can’t be 100% sure it is completely secure. Many current attacks against well-known sites are preceded by sophisticated phishing attacks where key individuals are targeted to try and extract information that will help in accessing the application. By collecting a key user’s credentials, attackers don’t need to launch a traditional attack whereby they would try to take advantage of a potential vulnerability in either the application or the system it’s running on. Instead, they can simply access the data using the stolen credentials.

Given the likelihood today of this type of scenario, a thorough penetration test should encompass testing the organization’s defenses against spear phishing and other attacks using social engineering. If the pen testers can obtain information to access the data store from your employees or from social networking sites, then your overall information security needs reviewing and improving. Remember that it’s not just technology that provides security but people and processes, too.

This was first published in December 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: