Different Types of Penetration Tests for Your Business Needs

What area of your business would benefit the most from a penetration test? 

By: Chad Horton
Penetration Testing Manager
Penetration testing is a form of ethical hacking that simulates attacks on a network and its systems. It goes beyond running an automated vulnerability scanner; the tests are performed by experts that dive deeper into your environment.

In a previous blog post, Types of Penetration Testing: The What, The Why, and The How, we discussed the different ways a penetration test can be performed: black-box, white-box, and gray-box. We also told you why it’s a good idea for a business to have penetration tests performed regularly.
So, what type of penetration test should you get for your business?
What areas should you focus on? There are several tests or activities that penetration tests include. Here are a few you may want to consider.

Network penetration test

The objective of a network penetration test is to identify security issues with the design, implementation, and maintenance of servers, workstations, and network services.

Commonly-identified security issues include:
  • Misconfigured software, firewalls, and operating systems
  • Outdated software and operating systems
  • Insecure protocols
The remediation of commonly-identified security issues include:
  • Reconfigure software, firewalls, and operating systems
  • Install updates
  • Enable encryption or choose a more secure protocol
SEE ALSO: Configuring and Maintaining Your Firewall with SecurityMetrics Managed Firewall

Segmentation check

The objective of a segmentation check is to identify whether there is access into a secure network because of a misconfigured firewall.

Commonly-identified security issues include:
  • TCP access is allowed where it should not be
  • ICMP (ping) access is allowed where it should not be
The remediation of commonly-identified security issues are the same:
  • Reconfigure the segmentation control (firewall rules) to properly restrict access
SEE ALSO: New 3.2 Requirements for Penetration Testing and Segmentation: What You Don’t Know

Application penetration test

The objective of an application penetration test is to identify security issues resulting from insecure development practices in the design, coding, and publishing of the software.

Commonly-identified security issues include:
  • Injection vulnerabilities (SQL injection, Cross-site scripting, remote code execution, etc.)
  • Broken authentication (The log-in panel can be bypassed.)
  • Broken authorization (Low-level accounts can access high-level functionality.)
  • Improper error handling
The remediation of commonly-identified security issues include:
  • Re-design the authentication and authorization model
  • Recode the software
  • Disable remote viewing of errors meant for developers

Wireless penetration test

The objective of a wireless penetration test is to identify misconfigurations of authorized wireless infrastructure and the presence of unauthorized access points.

Commonly-identified security issues include:
  • Insecure wireless encryption standards
  • Weak encryption passphrase
  • Unsupported wireless technology
  • Rogue/open access points
The remediation of commonly-identified security issues include:
  • Update wireless protocol to an industry accepted protocol (WPA2)
  • Replace the insecure passphrase with a longer, more complicated one
  • Identify the open access point and disable it
SEE ALSO: Wireless Access Point Protection: Finding Rogue Wi-Fi Networks

Social engineering

The objective of a social engineering assessment is to identify employees that do not properly authenticate individuals, follow processes, or validate potentially dangerous technologies. Any of these methods could allow an attacker to take advantage of the employee and trick them into doing something they shouldn’t.

Commonly-identified issues include:
  • Employee(s) clicked on malicious emails
  • Employee(s) allowed unauthorized individuals onto the premises
  • Employee(s) connected a randomly discarded USB to their workstation
The remediation is always the same: training.

Because the intent of this assessment is to take advantage of the trusting nature of employees, this type of assessment should only be done after employees have completed a training course on defending against social engineering attacks.

SEE ALSO: Social Engineering Training: What Your Employees Should Know

Which type of penetration test is right for you?

For starters, choose the type of penetration test that focuses on the controls you are most concerned about:
  • Web application or API = application penetration test
  • Infrastructure = network penetration test (and possibly a wireless penetration test)
  • People = social engineering
If your objective is to obtain PCI compliance, at the very least, you’ll want to consider getting a network and an application penetration test.

Once you have an idea on the type of test you would like and how comprehensive you would like the results to be, you need to decide from which perspective you would like testing to be performed.

By making these decisions wisely, you can choose a penetration test that matches your business' needs and budget.

Need a penetration test? Talk to us!

Chad Horton has been the Penetration Testing Manager at SecurityMetrics for over five years. His responsibility includes managing a team of eight employees who conduct manual assessments of web applications and corporate networks. In addition, Horton is QSA, CISSP, and CompTIA Security+ certified, and has written numerous web application tools to assist in exploiting vulnerabilities.

SecurityMetrics Webinar, Web Application Penetration Testing 101
SAQ A: What to Know, and What to Do

Learn what’s required to fill out SAQ A.  

By: Jen Stone
Security Analyst
To become PCI compliant, your bank might allow you to fill out a Self-Assessment Questionnaire, but there are different types of questionnaires for different types of businesses. These differences could include what type of card data your business receives, how you handle payments, and how you store and transmit card data.

This post will focus on SAQ A and what businesses need to do to complete it.

SEE ALSO: 5 Simple Ways to Get PCI Compliant

Who does SAQ A apply to?

SAQ A SAQ A is for merchants who have outsourced their card data functions to validated third parties. This may include e-commerce or mail/telephone-order merchants.

The PCI DSS outlines a list of requirements that apply to SAQ A merchants:
  • Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions
  • All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service providers
  • Your company does not electronically store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions
  • Your company has confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant
  • Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically.

What requirements does SAQ A address?

SAQ A addresses the following requirements:
    Self assessment questionnaire
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 9:  Restrict physical access to cardholder data 
  • Requirement 12: Maintain a policy that addresses information security for all personnel

SAQ A is one of the shorter SAQs, mainly because applicable businesses don’t actively deal with any card data and have outsourced all cardholder data functions to third parties. However, because they have access to reports and receipts containing cardholder data, they still need to make sure they’re secure and following applicable PCI compliant policies and procedures.

Example questions 

Here are a few questions that you’ll need to answer:
  • Are vendor-supplied defaults always changed?
  • Are all users assigned a unique ID before allowing them to access system components or cardholder data?
  • Are all media physically secured?
  • Is strict control maintained over the internal or external distribution of media? 
  • Is strict control maintained over the storage and accessibility of media? 
  • Is all media destroyed when no longer needed for business or legal reasons? 
  • Are policies and procedures maintained and implemented to manage service providers? 
  • Is there a written agreement between you and the service provider that acknowledges the provider’s responsibility for card data security? 
  • Is there an established process for engaging service providers? 
  • Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?  


Here are some tips to help you with SAQ A.
  • Update security policies with service providers: Even if you don’t handle card data directly, it’s important your service providers are PCI compliant. Make sure your agreements with them regarding security are updated regularly.
  • Train your employees: Policies are no good if your employees aren’t following them. Train employees at least quarterly, if not monthly.
  • Work with a QSA/security expert: Having an expert help you with PCI compliance can save you a lot of time and energy.
Need help with getting PCI compliant? Let’s see how you’re doing. 

Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT. 

SecurityMetrics 2016 Guide to PCI DSS Compliance
A Snapshot of the 2017 SecurityMetrics Guide to HIPAA Compliance: The Status of Healthcare Security

How did healthcare do with HIPAA in 2016? 

Read our 2017 SecurityMetrics Guide to HIPAA Compliance.

By: Brand Barney
Security Analyst
2016 has seen many reported data breaches, many which were healthcare related. Does this mean that healthcare has gotten worse in data security and HIPAA compliance? Not necessarily.

We wanted to find out how healthcare was doing with HIPAA, so we conducted several surveys from over 150 healthcare professionals (who were responsible for HIPAA compliance) across the nation, primarily from organizations with fewer than 500 employees. They were asked questions ranging from overall HIPAA compliance status to specific elements of the Security Rule. Here’s what we found out:

Patient data security 

healthcare securityAccording to our surveys, 38% of respondents don’t know if they encrypt data, and 50% don’t know multi-factor authentication. These two practices are critical in protecting patient data.
if their organization uses

Unsecured remote access is still the #1 pathway hackers use to steal data.  Organizations that use remote access need to secure it properly through multi-factor authentication and limiting user access.  It’s also important to encrypt any sensitive data. Should it be stolen, that data is essentially useless to the hacker.

HIPAA Firewalls

With firewalls, while most organizations have one in place, 41% don’t know how often their firewall rules are reviewed, and 37% don’t know whether or not they store firewall logs.

Firewalls aren’t plug-and-play technology. Organizations need to make sure all their rules are configured properly, and that someone is consistently reviewing logs. If your firewall isn’t working properly, it can negate any effect it had on your security.

SEE ALSO: Firewalls 101: 5 Things You Should Know

Mobile device security 

With the widespread use of mobile devices in healthcare, many organizations haven’t taken proper steps to secure their devices or the data on those devices. Only 41% of respondents have a mobile device policy, and only 21% use mobile encryption.

Many of the recent data breaches have been related to stolen/lost mobile devices, so organizations should start worrying about securing those more and make sure they have a mobile security strategy in place. Having a mobile device policy in place, and making sure no personal devices have access to patient data are good ways to secure your data.

Email security

Emails need to be HIPAA compliant too. 46% of the surveyed organizations send emails containing patient data and 32% send patient data that is either unencrypted or through normal, unsecured email.

Unsecured emails can be easily hacked. Best practice is to encrypt any patient information in emails, and use a secure email server. Better yet, avoid sending sensitive information through email at all.

SEE ALSO: How to Send a HIPAA Compliant Email

HIPAA Training

HIPAA GuideAs far as training goes, organizations are doing a bit better, with 71% training on HIPAA Privacy
Rule, 67% training on Security Rule, and 67% training on HIPAA Breach Notification rule. Unfortunately, over 53% of organizations don’t test employees on HIPAA training.

It’s a known fact that an organization’s weakest security link is its employees, which makes proper HIPAA training critical. While organizations do seem to be doing better, there’s still a lot of improvements to be made. Employees should be trained and tested regularly so they understand your organization’s policies on HIPAA.

Talk to us about training your employees! 

What does this mean for healthcare? 

Based on our data, a lot of the healthcare professionals don’t know what makes up their security. What’s scary is these are all healthcare professionals responsible for HIPAA compliance.

Similar to 2015, many healthcare professionals in 2016 struggle more with the Security Rule in HIPAA. As a result, most healthcare organizations that have had PHI stolen or leaked weren’t fully compliant with the Security Rule.

That being said, the organizations we surveyed seem to be doing better in certain aspects of HIPAA compliance, with only 7% of respondents saying employees share ID credentials and only 15% of organizations allowing employees to use personal mobile devices to access patient data.
Overall, the state of HIPAA hasn’t changed much from last year, but there are a few improvements.
The biggest change healthcare organizations should make is employee awareness of the Security Rule. Many healthcare professionals in charge of HIPAA just don’t know enough about data security.


Here are a few things to keep in mind with getting compliant with HIPAA:
  • Train employees at least quarterly: you and your employees need to understand HIPAA compliance better and understand how to secure your patient data 
  • Get expert help: it’s a good idea to consult HIPAA Compliance and Security Assessors and other security experts to help your organization where you’re struggling
  • Do security testing: hire penetration testers and ethical social engineers to test your systems and your employees 
Need help with HIPAA? Check out our 2017 Guide to HIPAA Compliance.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

2017 SecurityMetrics Guide to HIPAA Compliance
PCI Requirement 2: How to Get Compliant

Learn more about Requirement 2 and getting your systems PCI compliant. 

By: Brand Barney
Security Analyst
PCI Requirement 2 involves securing your systems. This includes things like passwords, configuration, and system hardening. Here’s a few things you’ll want to look at when getting compliant with PCI Requirement 2.

SEE ALSO: 5 Simple Ways to Get PCI Compliant

Changing Default Passwords

Devices such as routers or POS systems usually come straight from the vendor with factory settings like default usernames and passwords. This makes device installation and support easier, but it also means every model has the same username and password. Remember that even if the service provider isn’t compliant with PCI security standards, the merchant is still liable in the event of a data breach.

Most default passwords and settings are well known throughout hacker communities and are found via a simple Internet search. When defaults aren’t changed, it gives attackers an easy gateway into a system. Disable vendor defaults on every system that connects with the CDE to protect your data against unauthorized users.

Currently, passwords should be changed every 90 days and contain at least 7 characters, including numeric and alphabetic characters (meeting password complexity requirements). Passwords that fall short of these criteria can usually and easily be broken using a password-cracking tool.

SEE ALSO: How to Do Passwords Right: Password Management Best Practices

System Hardening

Any system used in the CDE needs to be hardened before being put into production.
This means you remove any unnecessary functionality in your system and configure what is left in a secure manner. Every application, service, driver, feature, and setting installed on a system introduces possible vulnerabilities.

To comply with Requirement 2.2, merchants should “address all known security vulnerabilities and [be] consistent with industry-accepted system hardening standards.” Some good examples of hardening guidelines are produced by the following organizations:
  • Center for Internet Security (CIS) 

  • International Organization for Standardization (ISO) 

  • SysAdmin Audit Network Security (SANS) Institute 

  • National Institute of Standards Technology (NIST) 

SEE ALSO: System Hardening Standards: How to Comply with PCI Requirement 2.2

System Configuration Management

Consistency is key when trying to maintain a secure environment. Once system hardening standards have been defined, it’s critical that they are applied to all systems in the environment in a consistent fashion. Once each system or device in the environment has been appropriately configured, you still aren’t done. Many organizations struggle to maintain standards over time, as new equipment or applications are introduced into the environment. 

This is where it pays to maintain an up-to-date inventory of all types of devices, systems, and applications that are used in your CDE. However, the list is no good if it doesn’t reflect reality.

Make sure someone is responsible for keeping the inventory current and based on what is in use. This way, applications or systems that are not approved for use in the CDE can be discovered and addressed. 

Many organizations, especially larger ones, turn to one of the many system management software packages on the market to assist in gathering and maintaining this inventory. These applications scan and report on hardware and software used in a network and can also detect when new devices are brought online. These tools are often also able to “enforce” configuration and hardening options, alerting administrators when a system is not compliant with your internal standard.

Additional tips to consider

Here are a few things to think about:
  • Train employees on policies: make sure employees are aware of policies surrounding password management, system configuration, etc.
  • Update documentation consistently: make sure you’re constantly documenting your updates, which helps prevent liability issues and organizes your security policies
  • Work with experts: if you’re not technically minded, it may be good to have an expert help you with specific configurations and system hardening
Need help in getting PCI compliant? Talk to us!

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

Securing Mobile Devices with Mobile Encryption

mobile encryption

Learn how encryption can protect the data on your mobile devices

By: George Mateaki
Security Analyst
With the rise in mobile devices, it makes sense that more businesses are using mobile devices to process, store, and transmit card data. But with the rise in technology comes the rise in all sorts of security issues. One common issue is stolen or lost devices.

Say you have a tablet that has sensitive information on it, such as card data, personal information, etc. If that tablet is stolen, all that data is now in the wrong hands. So how do you secure that data? Things like physical security and mobile device policies are good at protecting the device itself, but one way to protect the data on the device is encryption.
Here’s some information on mobile encryption and how it can help your business.

What is encryption?

mobile encryptionThe idea is to protect your data from falling into the wrong hands, should someone get ahold of a
mobile device. Full disk encryption (FDE) encrypts all the data on your storage device.

Full disk encryption is basically encryption on a hardware level. It automatically converts data on a hard drive into something that can’t be deciphered without the key. Without the right authentication key, the data is inaccessible, even if a hard drive is removed and placed in another machine.

What’s nice about FDE is it’s automatic, so it requires no special action from the user other than providing a key. As data is written, it’s automatically encrypted, and as it’s read, it’s automatically decrypted.

Mobile devices like smartphones and tablets have encryption options that will also provide protection of storage. In this case, it’s not typically a disk but is still just storage that’s encrypted and accessed using some key. It’s usually just a matter of enabling the appropriate options and an extra step to provide a key.

Why should I get encryption?

If your organization deals with a lot of mobile devices that carry critical data, it’s a good idea to make sure none of that data falls into the wrong hands. Using encryption is another step to properly securing your data. Taking this extra step in security can help many organizations.

This can also protect you from liability. If a device is lost or stolen, and it was fully encrypted, organizations don’t have to report a breach.

What should I apply encryption to?

Encryption is really useful for laptops and other smaller devices that can be physically stolen/lost. This ensures that should a laptop, phone, USB, etc. is stolen or lost, the data is still secured. While it may be true that encrypting mobile devices is not required by all government or financial mandates, taking this extra step in security can help many organizations.

Basically, you should consider encryption for any mobile device that is storing sensitive data.

SEE ALSO: 5 Ways Your Mobile Device Can Get Malware

What type of encryption should I get?

encryptionThere are many different types of encryption software and tools. Some come with other security elements included. Many computers and software already come with options like full disk encryption. But the problem is this software is usually available on most devices, but many businesses don’t realize it hasn’t been implemented. Fortunately, it’s fairly easy to activate encryption on devices.

Check if your current software offers storage encryption. If not, there are plenty of tools that offer encryption.

How secure is encryption?

Keep in mind that encryption doesn’t guarantee the security of your data. Encryption keys can still be stolen. With full disk encryption, cold boot attacks can be used where keys are stolen by cold booting a machine, then dumping the contents of its memory before the data disappears. Some best practices are to secure the encryption key properly, employ a strict password policy, and limit access to these keys.

So if your business uses a lot of mobile devices, implementing encryption is a great security tool to protect your data.

Need help with data security? Talk with one of our consultants!

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.