|
![]()
|
|
![]()
|
 |
![]()
|
| If
your Internet provider filters incoming e-mail, please add
ncxgroup.com to your list of approved senders to make sure
you receive NCX Group Security Updates. |
|
WHAT
TO EXPECT FROM A PENETRATION TEST
The main objective of a penetration test is to discover, identify,
and exploit vulnerabilities that an attacker may find. These
tests have a tremendous value in that they disclose the weaknesses
of your network, applications, and systems by verifying potential
threats so action can be taken to reduce the probability and
impact of a successful attack.
What is important to remember, though, is that a penetration
test takes only a snapshot of your network or Web application
at the time it is being performed. It is not intended as a full
security audit, which uses both standards and best practices
like an accounting audit. Approach a penetration test as a “first
step” to identifying network or Web application weaknesses
prior to conducting a full security review, which includes a
review of business risk and liability within your technology
infrastructure and business processes.
When contracting for a penetration test, it is best to choose
a security partner that has no affiliation to the systems being
tested. This eliminates a conflict of interest and potential
recommendations for additional products or solutions you may
| |
| |
|
|
|
|
Subscribe to Security Update |
 |
|
|
|
|
|
|
|
|
|
 |
|
Looking
for
Managed Security Services?
Call us at 888-448-5451
or contact us below |
|
|
|
|
|
|
|
|
|
| |
|
not need. Your goal is best achieved by a consulting firm whose
focus is on the results of the test, not future product sales.
The benefits and value of utilizing qualified testers that have
the skills, tools, and in-depth knowledge will be evident in
the way the tests are conducted as well as the final reporting
document.
It is extremely important you clearly define the objectives
(rules of engagement) and scope for your penetration test. This
includes identifying systems to be tested, the timeframe for
testing, the level of testing required, and the personnel involved.
It should also include escalation procedures in the event a
high-risk vulnerability is found. A well-defined plan will ensure
the service delivered meets your expectations.
The heart of any penetration test is the quality and value of
the report. Conducting the test is very time consuming, and
documenting the discovery detail is even more laborious. A professional
report will have an executive summary describing general findings
and the overall security posture of your network, systems, or
Web applications. The report should then contain detailed findings
on all vulnerabilities and the level of risk they pose, a remediation
section that specifies a corrective action or recommended solution
for each threat and vulnerability discovered, and a remediation
matrix to help prioritize and guide the remediation effort.
Tests can vary considerably based on methods used, the scope
of the tests and the type of practitioner you engage to do the
testing, so have the testing firm thoroughly review the processes
performed and have it in writing.
For information on conducting a penetration test for your company,
please contact us at
888-448-5451 or
request a representative to call you.
CALIFORNIA LEGISLATURE EXPANDS SB 1386 TO INCLUDE MEDICAL AND
HEALTH INSURANCE DATA
Effective January 1, California's SB 1386 Breach
Notification Law will now require businesses to notify victims
of an unauthorized breach to unencrypted medical and health
insurance data, regardless of whether Social Security numbers
are involved.
Formerly, if Social Security numbers were not a part of the
breach, there was no requirement to notify victims. By adding
medical and health insurance data to the law, the State Breach
Notification law is amended from a financial identity theft
law to a far broader law triggering breach notifications whenever
medical or health insurance policy information are breached.
The intent is to prevent the growing crime of medical identity
theft and to protect confidential medical information by encouraging
encryption.
The two
new breach-triggering data categories identified as “health
insurance information” is defined as a health insurance
policy or subscriber number(s), any information in an individual’s
application and claims history, including any appeals records;
and “medical information” including any information
regarding an individual’s medical history, mental or
physical condition, or medical treatment or diagnosis by a
health care professional.
A total of 39 states have followed California to enact a breach
notification law relating to financial information. It is
likely that these other states will follow California's lead
to expand their notification laws as well.
|
|
|
NCX Group, Inc.
5000 Birch Street, West Tower, Suite 3000
Newport Beach, CA 92660
888-448-5451
|
Copyright
©2008 NCX Group, Inc. All rights reserved.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
If you do not wish to receive future NCX Group Security Updates, please
email
us here
|
|
|