Network & Application Layer Penetration Testing
Find your weaknesses before THEY do.
Recent healthcare breaches are exposing the ugly truth that the network infrastructure at many providers is insecure. What's the fastest way to identify your gaps and weaknesses? A Network and Application Layer Penetration Test simulates a real-world attack against your network infrastructure and information systems to identify vulnerabilities and risks which may impact the confidentiality, integrity or availability of your data. It’s imperative to conduct a penetration test regularly if your environment is processing and storing sensitive data (like payment card data or protected health information) and those same systems have access to the Internet. In fact, if you are subject to HIPAA, penetration testing is likely required in order to demonstrate that PHI data is well-protected.
Unlike a vulnerability assessment or automated vulnerability scan, security engineers performing penetration testing actively try to uncover vulnerabilities and then exploit them in order to breach your systems or obtain access to sensitive data. This manual, hands-on approach allows the tester to intelligently probe and launch attacks from a variety of vectors and under a variety of conditions within the environment. As a result, your organization can gain full visibility and understanding of how malicious entities may be attacking your systems and to what extent they are at risk.
The engagement starts with an agreement between you and ControlScan on the scope of testing to be conducted, including the target environment and the various approaches to be taken. Depending on your needs, penetration testing can be performed from one or both of the following different perspectives:
- An External Penetration Test adopts the approach of an anonymous attacker somewhere out on the Internet looking to breach your perimeter defenses and gain access to your environment.
- An Internal Penetration Test shows you the risks posed to your information systems by an insider (e.g., an employee or contractor) or an attacker that has already breached your perimeter.
Both types of testing provide insight into your organization's risk exposure, but from different perspectives.
To become secure, expose your vulnerabilities.
During the engagement, our security testers perform reconnaissance of in-scope systems to identify services and functions which may be vulnerable, followed by a discovery of vulnerabilities affecting in-scope targets and then finally attempt to exploit those vulnerabilities in order to compromise the exposed systems. All of this is done with your knowledge and permission.
Upon completion, a formal report is prepared detailing the findings uncovered by the testing process. The tester that conducted the exercise walks you through the report in detail, ensuring you understand the weak points and gaps discovered and have a strategy for strengthening them. In addition, we'll discuss network segmentation strategies that can better protect the PHI in your environment while making it simpler to maintain HIPAA compliance. Most clients remediate the findings and then engage ControlScan to retest and verify the target environment is secure.
"We have partnered with ControlScan for the past two years for assistance with our PCI validation. ControlScan has always been professional, timely and knowledgeable [while helping us determine] the best way to validate our environment. Our projects have been well communicated, executed and followed up on through completion; the team has always been open to questions and easy to work with." — Hielan Management
Maintaining a secure network infrastructure and application environment is the best reason to undergo Network & Application Layer Penetration Testing, but there are other great reasons, too:
- Network Penetration Testing satisfies Requirement 11.3 of the Payment Card Industry Data Security Standard (PCI DSS) when performed against your cardholder data environment.
- Network Penetration Testing is also an optimal solution for safeguarding your protected health information (PHI), helping you to address your HIPAA and HITECH requirements.