We live in an age where data flows like water, becoming the new life source of our everyday ventures.
As such, you can just imagine what all of that entails and the weight that data receive, especially when it comes to a decision making on how to handle this fairly new and arguably invaluable resource.
Of course, we are well aware from a very young age that our water needs to be pure, filtered and possibly protected, so this pops the question and makes us wonder:
How exactly does all of this translate for our data, its handling processes and ultimately our Security?
It is no secret that our personal information is as valuable if not more than actual currency. Imagining your social security number, medical bills or paycheck amounts flowing through vast amounts of seemingly random servers all across the globe can be unnerving.
It brings out the same questions that we would have for anything else of value:
Where is it going?
Who can see it?
Why are they holding it?
…
Is it safe?
As with anything else, the best way to understand is to get examples, more importantly from a person who is experienced and deals with these types of questions about your data every day.
Let’s assess a small visit to your local hospital.
You check in.
What did you just do?
You gave away your social security number, address, bio information, and financial status.
Did you stop and think if the hospital really needs all of that information or are they just hoarding it for no reason?
Of course, you did not!
Currently, you’re more worried about your well being and not some hospital records. This happens more often than we would like to believe. Being brought in situations from various types of establishments where our data is not the first thing on our minds when entering.
But what does all of this have to do with Penetration Testing & Compliance Audits? We will get there soon enough.
For starters, know that people are working over the clock right now analyzing these everyday situations that everyone is facing. They are the ones that do ask questions about our data and how it is handled in such proceedings when we can not.
These people range in various fields, from Security Engineers, Penetration Testers, Auditors, HR Staff, etc.
Some of these titles, understandably, are not familiar to people that are not interested in the IT sector, but nonetheless, as with everything else, there will be a field to fit a certain need.
Here that need is “Security.”
But for now, let’s go back to the hospital for a bit.
After you left, what happened?
All of that information got stored somewhere, quite possibly digitally.
For papers, we have lockers, for money we have safes, for vials we have 24/7 protected laboratories.
Just what do we have for the data we just gave out?
We saw that the front desk person typed it in their computer. Which means that now all of that information is sitting either on their server at local grounds or has been sent off to random nodes across the globe as we previously mentioned. But that still does not answer the main question, how is it protected? Can’t someone just barge in and take it?
In most cases, that would be improbable and somewhat difficult. But, most examples are not all cases, and as will any Security Engineer attest, we get more breaches like that than we would like to admit. So how this happen?
Well now we got to the technical bit, how does one actually steal all of that information and why are they able to.
First, they can steal it because the systems that hold it, like anything else physical as well, has not had its security properly checked! There is a loophole in the system.
This is where Penetration Testing comes along.
Secondly, why they are able to steal it is because there is data there that should not be there in the first place.
This is where Compliance Auditing comes along.
Let’s talk about the first issue, lack of security measures and/or checkups and how to prevent it.
Penetration Testing, as the name might suggest, is the act of trying to breach the security of an object and steal valuable data exactly as an attacker would do. This means using their methods and tactics as well. But what is the difference? Penetrating Testing is carried out by specialized and authorized organizations or individuals to help businesses identify potential risks in their system.
These specialized organizations or individuals (Penetration Testers) would try to break in, as previously mentioned using all of the tips and tricks that attackers would, and then they would report to the businesses (whom they are working for) where all of their weak areas are and more importantly how and why they should fix them.
Basically, if the Penetration Tester stole valuable information, that means that an attacker could do this as well. By covering all of the vulnerabilities found previously by the Penetration Tester, you are making sure that when the actual attackers try to break in, it will be substantially harder or almost impossible because most of the vulnerabilities have already been fixed.
We will take the hospital for our example again.
We left our personal information (data) in the hospital, and they probably stored it. Malicious actors just a few hours later know where that location is and they try to break in. One of two things will happen, either they will succeed (the penetration test might not have been conducted). Or in their attempt, they found out that most of the ways they knew how to break in have already been patched up and now it is a lot more difficult or impossible, leaving them with nothing.
Now as for the first issue, imagine that the attackers did break in, there were lack of security measures and a Penetration Test beforehand was probably not conducted. What did they steal or rather what can they steal?
They stole the following information:
Name/Surname
Date Of Birth
Blood Type
Address
Credit Card Number
The major issue here is why did the hospital, at the first place, stored the credit card number when surely it will not need the credit card for constant use?
That is where the need for Compliance Audit comes. A compliance audit is the complete and thorough assessment of an organization’s (hospital in our case) compliance to laws and guidelines set out by the respective regulatory authority of that particular industry.
Compliance is mostly a set of security checklists, that a company, for example, should follow depending on their type of business.
For example, if it is a private hospital, they would have to follow a medical type of compliance. If it is a broker firm, they would have to follow a financial type of compliance and so on.
The medical type of compliance, in this case, would state that there is probably no need to store credit card number, lumped together with all of the other types of information and that each type of data has their own type of protection checklist.
So if the compliance beforehand were conducted and followed, the credit card number would probably not have been stored in the first place, as they are not vitally needed. If this had happened, even after the attackers broke in, they would not have been able to steal such information because it simply did not exist. This way you mitigate the risk of breaches.
Basically, only the information that is absolutely needed should be stored. Similarly, businesses cannot keep their employee’s records forever if they have left. Every business should hire a compliance auditor to understand the rules and regulations of their business and carry out in a legal way.
On the other hand, it is not entirely up to the auditors to conduct such thorough search, it is up to the company and its general security sense to build up everything properly in order for these kinds of tests and checklists to never be a substantial issue.
Attacks could also come from inside a company as well. Mainly from provoked, overworked or unsatisfied employees. These are the most dangerous types of attacks because the employees already have access to everything.
Basically, their psychological well being is extremely important! Taking the time and effort to care for your colleagues will make them less eager to betray you or your assets.
As a conclusion, we went through various scenarios that all of those ambiguous titles above go through each day and hope you are more understanding now of the importance of Penetration Testing & Compliance for the security of your data than you were before!