Penetration testing can help find security vulnerabilities that aren't typically identified by scanning and other monitoring. But the testing comes with some risks, say Chuck Kelser, CISO at Duke Health, and security expert John Nye of the consulting firm CynergisTek.
"Web applications tend to be a very fertile ground for attacks, so we want to be sure we're proactively identifying those vulnerabilities," Kesler says in an interview with Information Security Media Group at the HIMSS18 conference in Las Vegas.
"A lot of vulnerabilities, particularly in web applications, can't be found in a simple vulnerability scan. There are sophisticated vulnerabilities ... that the penetration tests will help highlight."
Be Wary of Risks
But organizations also need to be aware of the potential risks posed to certain devices and systems during penetration testing.
"Penetration testing can cause systems to drop offline, and they can also cause corruption in medical devices and internet of things devices, or really cheap devices, like IP cameras, that can break," Nye says.
The testing can also impact production systems "because we're running scans against all those systems, and [are] hitting them with thousands of packets sometimes. It could slow the system down or stop a system from being accessible," he notes. "This all needs to be considered."
Prior to penetration testing, entities and testers need to carefully consider "what systems to touch, what systems not to touch and what the potential impacts are," Nye says.
Kesler and Nye were co-presenters during HIMSS18 on the topic of pen testing.
In the interview (see audio link below photo), Kesler and Nye also discuss:
- Other security concerns involving biomedical devices;
- Top security priorities at Duke Health this year, including bolstering network access controls and management around bring-your-own-device as part of a broader three-year security plan;
- The most troubling emerging cyber threats facing the healthcare sector.
As CISO for Duke Health, Kesler leads the organization's information security office, which provides services for all Duke University Health System's units as well as academic departments and research institutes in the university's schools of medicine and nursing.
Nye, vice president of cybersecurity strategy at CynergisTek, has spent nearly a decade in information security, including stints with the U.S. Army, CSG International, Peter Kiewit and Sons, First Data Corp. and KPMG LLP. He now works exclusively as a penetration tester.