Why Third-Party Pen Testing?
I’ve been getting a lot of questions lately, asking me why someone should hire a company like SFLCSI to do pen-testing when the company, organization, etc., already has its own in-house IT department?
The answer is several fold. First off, doing these sorts of tests by your own IT people is a conflict of interest. These folks work everyday with these systems, so they know the systems like the back of their hands. They may know where some weaknesses are and “inadvertently” (or “conveniently”) leave them out of the report. This may especially go if it’s something that’s a known issue that needs to be addressed immediately. A neutral third-party with no foreknowledge of the systems is best because they don’t know what you have ahead of time.
Secondly, a lot of data breaches occur because of the actions of employees on the inside. Take a wild guess who’s top on the list of offenders on the inside. Yup, you guessed it, the IT guys. Too often, they’ll cater to the whims of users, setting up easy passwords, obvious server names, the works. Turns out, the opposite should be true. The longer and more complex the password, the harder it is to guess or crack. Studies show that a six-letter password takes ten minutes to break, whereas a 12-digit password with capital letters, numbers and special characters will take a computer years to break.
The same goes with servers. If you don’t want a hacker going after patient data, don’t name a server or database “patient data”. Name it something random, like SVR011, or something else completely anonymous. The more generic the name, the more likely a hacker will have to go through every single server. That’s time consuming, annoying, and more likely to cause them to make a mistake which gets them caught.
It also keeps your IT department salty. If IT becomes complacent, they become more lax in procedures, and more liable to make mistakes. Not to mention, they’ll take their sweet time in installing critical upgrades and patches that better protect you from hackers. If someone from the outside comes in, does a penetration test, they’ll find the mistakes, lax installations, and put it in their report. Once they submit it, it definitely becomes local IT’s problem to fix the problems in the final report.