In Depth
3 Ways Pen Testing Helps DLP (and 2 Ways It Doesn't)
Orbitz CISO Ed Bellis says penetration testing is a valuable tool in his data loss prevention arsenal. But it won't help him find everything
By Bill Brenner, Senior Editor
In this case, pen testing is helpful.
"Pen testing is a great way to pinpoint legacy apps that are potential trouble -- apps you built years ago that aren't going anywhere," Bellis said. "You'll find apps you didn't know you had."
Some of those applications are easily exploited by company insiders with malicious intentions, including those who have just been laid off. In a separate presentation, Symantec Corp. Data Loss Prevention Senior manager Jenny Yang mentioned a study the company recently conducted with the Ponemon Institute in which 59 percent of those surveyed admitted to stealing confidential company information on the way out the door.
[See: Laid-off Workers as Data Thieves?]Yang noted that the most common method of data lifting in this case is to put the data on a CD or USB stick. Those methods often involve accessing some of the legacy applications that are a doorway into the more sensitive data stockpiles. "To deal with this, you need to find out where the sensitive data resides, understand how it's used and prevent it from being downloaded," she said.
Pen testing is a useful tool for that task, Bellis said.
Pro: Logic Flaw Finder
Another weak link on a network is a logic flaw -- a vulnerability that can allow someone to access data that appears safe on the surface. Bellis said this is another area where pen testing is useful. "It often takes a person to find a logic flaw [as opposed to automated security tools] and you often find that you don't have to be a hacker to exploit an application in ways not intended," he said.
Example: Many online public relations services like Business Wire store embargoed press releases -- those not meant to be released until a specific date -- on site in an area thought to be closed off from the viewing public. But logic flaws can enable a competitor to access them. In one case, Bellis noted, an Estonian financial firm was able to use a site log-in to stumble upon a competitor's embargoed releases. The firm ultimately made $8 million on insider trading by exploiting this weakness, Bellis said.
Con: Can't See Everything
Among the areas pen testing falls short, Bellis said the craft can't be used to get a panoramic, 360-degree fix on the organizations entire security state.
"You won't find more than 2 percent of all your weaknesses," Bellis said. "You have to prioritize what you want that 2 percent to include, and that can be difficult."
penetration testing
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
