Penetration Testing: The Hacking That Might Just Save Your Business

As all applicable organizations should know, the NY SHIELD Act took effect March 21, 2020, to protect the private information of New York residents from unauthorized access. This includes the private information of both employees and non-employees held by New York businesses. If a New York business has private information on New York residents and does not comply with GLBA, HIPAA, or DFS NYCRR 500, then it must abide by the NY SHIELD Act. Small businesses are not exempt from the NY SHIELD Act requirements if private information is stored or collected by the business. 

Such private information on a New York resident includes their social security number, driver license or identification card number, financial account or credit/debit card number, biometric data such as a fingerprint, and username or email address in combination with a password or security question that permits access to an online account. If a New York resident has been wronged, then they may bring an action against a business and recover penalties equal to $20 for each failure to provide the required notification or $5,000, whichever is greater, with a maximum of $250,000. In addition, a $5,000 penalty can be imposed for a violation of the reasonable safeguard requirements. 

The NY SHIELD Act requires that businesses develop, implement, and maintain “reasonable safeguards to protect the security, confidentiality and integrity” of New York residents’ data, including administrative, technical, and physical safeguards. One method of protecting data and proving that reasonable steps were taken is penetration testing, which identifies the path of attackers attempting to compromise an organization. 

Penetration Testing is a form of ethical hacking or white hat hacking via manual or automated checks to test whether a network and system are safe from real hackers. By hiring someone skilled enough or firing up a software application, a company is capable of testing whether the computer network, system, or web application is truly safe. Attempting to breach application systems includes application protocol interfaces (APIs) as well as frontend and backend servers to uncover vulnerabilities. In an ever changing and advancing world where private information continues to become increasingly valuable, it is essential to periodically test whether the private information a business holds is capable of becoming stolen. 

Mostly, Pen Testing attempts to locate a mere vulnerability, which can turn into something much greater in the wrong hands. However, if Pen Testing is performed correctly, then an organization can determine whether their systems are safe and measure the speed of their response time. This process involves collecting information about the intended target, identifying whether certain entry points are weak, and exploiting that knowledge to determine whether an attacker could break in so new protective measures can be put in place. The purpose of Pen Testing is to identify security weakness and potentially test an organization’s security policy, compliance requirements, employee security awareness, and ability to respond to incidents. Afterwards, it is crucial to remediate any weaknesses before attackers can get the chance to strike.

The typical scope of a full Pen Testing includes which systems, locations, techniques, and tools can be used to pry into a network system and attempt to find vulnerabilities. By limiting the scope, an organization can focus on the correct areas in which it needs to modify its control. Further, Pen Testing often utilized automated tools to uncover vulnerabilities because these tools identify portions of applications that could result in security breaches. Such tools can also examine data encryption to identify coded values and their corresponding weaknesses, such as discovering whether users are utilizing significantly complex username and password combinations on the network. As an example, if an employee leaves their password written on a sticky note in plain sight, the issue lies with the employee’s security practices rather than the company’s. This form of testing does not check whether the application was actually secure but shows vulnerabilities overall. 

An example of the steps of a successful Pen Testing are as follows: (1) Defining the scope and goals of the Pen Test to gather intelligence; (2) Inspecting the application’s code to examine its behavior before running and while it is running; (3) Discovering attacks to uncover vulnerabilities from attackers attempting to achieve presence in exploited system; and (4) Providing an analysis in a report for specific vulnerabilities, sensitive accessed data, and how long until the attack was detected.

By performing Pen Testing periodically or at least once a year, businesses can ensure proper network security and cybersecurity management. Additionally, Pen Testing should be performed whenever an organization adds new network infrastructure, makes significant upgrades, establishes new offices, applies security patches, or modifies end-user policies. However, certain Pen Testing programs can be costly. As such, additional factors to consider when determining how often to perform a Pen Test include the size of the company, the budget, whether the business is within a certain industry where Pen Testing is required, and whether a company’s cloud infrastructure prevents Pen Testing. 

Common types of Pen Testing strategies include:

Targeted Testing: performed by a company’s IT department

Internal Testing: determines how far an authorized user could get with their standard access privileges 

External Testing: targets a company’s visible serves and devices, such as email servers, web servers, and firewalls to determine how far an attacker can get once they gain access

Blind Testing: limits the information employees are provided to simulate a genuine attack

Double-Blind Testing: few if any employees of a company are aware that Pen Testing will occur, which provides the best security monitoring, incident identification, and response procedures 

Pen Testing as a Service (PTaaS) provides IT professionals resources to conduct Pen Testing. A few companies currently offering Pen Testing services include: The Metasploit Project, Nmap, Wireshark, Jhn the Ripper, and Silo City IT. Additionally, the NY SHIELD Act suggests that organizations work to implement controls from industry cybersecurity frameworks such as the Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST). 

This article contains general legal information and does not contain legal advice. Appolo Compliance is not a law firm or a substitute for an attorney or law firm. For legal advice, please contact a lawyer.

Published by apollocompliance

Jean-Marc is a law student interested in cybersecurity and data privacy law.

Leave a Reply

Your email address will not be published. Required fields are marked *