Weighing Risks, Benefits of Penetration Testing

Penetration testing can help find security vulnerabilities that aren’t typically identified by scanning and other monitoring. But the testing comes with some risks, say Chuck Kelser, CISO at Duke Health, and security expert John Nye of the consulting firm CynergisTek.

“Web applications tend to be a very fertile ground for attacks, so we want to be sure we’re proactively identifying those vulnerabilities,” Kesler says in an interview with Information Security Media Group at the HIMSS18 conference in Las Vegas.

“A lot of vulnerabilities, particularly in web applications, can’t be found in a simple vulnerability scan. There are sophisticated vulnerabilities … that the penetration tests will help highlight.”

Be Wary of Risks

But organizations also need to be aware of the potential risks posed to certain devices and systems during penetration testing.

“Penetration testing can cause systems to drop offline, and they can also cause corruption in medical devices and internet of things devices, or really cheap devices, like IP cameras, that can break,” Nye says.

The testing can also impact production systems “because we’re running scans against all those systems, and [are] hitting them with thousands of packets sometimes. It could slow the system down or stop a system from being accessible,” he notes. “This all needs to be considered.”

Prior to penetration testing, entities and testers need to carefully consider “what systems to touch, what systems not to touch and what the potential impacts are,” Nye says.

Kesler and Nye were co-presenters during HIMSS18 on the topic of pen testing.

In the interview (see audio link below photo), Kesler and Nye also discuss:

  • Other security concerns involving biomedical devices;
  • Top security priorities at Duke Health this year, including bolstering network access controls and management around bring-your-own-device as part of a broader three-year security plan;
  • The most troubling emerging cyber threats facing the healthcare sector.

As CISO for Duke Health, Kesler leads the organization’s information security office, which provides services for all Duke University Health System’s units as well as academic departments and research institutes in the university’s schools of medicine and nursing.

Nye, vice president of cybersecurity strategy at CynergisTek, has spent nearly a decade in information security, including stints with the U.S. Army, CSG International, Peter Kiewit and Sons, First Data Corp. and KPMG LLP. He now works exclusively as a penetration tester.

Aetna CISO Touts the Benefits of ‘Unconventional Controls’

Authentication , Ransomware , Risk Management

Jim Routh Describes How to Fight Evolving Cyberthreats

Jim Routh, chief security officer, Aetna

The adoption of “unconventional” security controls that are risk-driven can help organizations adapt to the changing cyberthreat landscape, says Jim Routh, chief security officer at health insurer Aetna.

See Also: How to Scale Your Vendor Risk Management Program

“It turns out that all of us in security learned conventional controls – and that’s a good, strong foundation,” he says. “Conventional controls are found in risk frameworks – they’re commonly known, referenceable and there are policies that drive those conventional controls. They’re established and tried and true,” he says. Those controls include those that are part of the National Institute of Standards and Technology’s cybersecurity framework, he says.

“But what’s happened over the last 10 years is that as organizations have adopted more risk-driven security – responding to changes in threat actor tactics – we venture into unconventional controls that aren’t necessarily defined in a risk framework, but are highly effective in improving resiliency in the enterprise,” Routh says.

So, for example, in email phishing, a conventional control is user awareness and education, he notes. “An unconventional control is … [using the] DMARC [Domain-based Message Authentication, Reporting & Conformance] – standard,” he says. That helps prevent email systems from being hijacked by attackers so that “all outbound email from an enterprise will be delivered and email not coming from that enterprise will not be delivered.”

In a video interview at Information Security Media Group’s recent Healthcare Security Summit in New York, Routh also discusses:

  • Ransomware trends impacting the healthcare sector;
  • How improving “software currency” can make enterprises less vulnerable to ransomware attacks’
  • Aetna’s move to continuous behavioral authentication.

Routh heads the global information security function for Aetna. He also is the chairman of the FS-ISAC Products and Services Committee and is a board member of the National Health-ISAC. He was formerly the global head of application and mobile security at JP Morgan Chase and served as CISO at KPMG, DTCC and American Express.