3 Ways Pen Testing Helps DLP (and 2 Ways It Doesn't)
Orbitz CISO Ed Bellis says penetration testing is a valuable tool in his data loss prevention arsenal. But it won't help him find everything
By Bill Brenner , Senior Editor
March 30, 2009 — CSO —
CHICAGO -- Penetration testing's future has been caught in heated debate recently, sparked by Fortify Co-Founder and Chief Scientist Brian Chess' prediction that the practice would die off this year. [See: Penetration Testing: Dead in 2009]
Many IT security practitioners rose to pen testing's defense, calling it an indispensible tool for uncovering data breach attempts from inside and outside the organization. [See: 12 Reasons Pen Testing Won't Die]
Move away from the security vendor perspective and one will almost always find that the truth is somewhere in the middle. That's been the experience of Ed Bellis, vice president and chief information security officer for Orbitz. During a presentation at last week's CSO Executive Seminar on Data Loss Prevention, Bellis described pen testing as one of many important tools in his arsenal to protect the sensitive customer data that flows throughout Orbitz's cyber pipeline.
"There are two sides to every story, including the one on pen testing," Bellis said, suggesting that vendors like Fortify will always make sweeping predictions about a technology's future while promoting its own products.
Pen testing has indeed been helpful in detecting weaknesses in Orbitz sprawling network, which includes data centers around the world with thousands of hosts and a cornucopia of internal applications that include an agent desktop, home-grown software to process transactions and back-end security controls. "The number of apps we deal with goes into infinity, and you need a variety of security tools to protect them," he said.
Zeroing in on pen testing, Bellis outlined three specific areas where the craft has proven its worth, and a couple areas where its usefulness is more limited:
Pro: Social Engineering Finder
Social engineering has always been a sure path to a company's sensitive data, and Bellis has found that the weak link is usually an insider who is trying to be helpful with no inkling of the dangers.
"Pen testing will help you catch people who try to use social networking to work their way into a call center," he said. "People working in the call center can be overly helpful when they're trying to help customers, and they can and do get burned in the process."
In this scenario, the pen tester can go hunting for cases where a call center employee is opening the door too wide. Then, those weak links can be addressed, Bellis said.
Pro: Legacy App Finder
As Bellis mentioned, the number of applications in use within Orbitz goes into infinity. Buried among them are apps that have been around forever but may no longer be in use. Yet they are sitting on the network, replete with vulnerabilities waiting to be exploited by a data thief.