Features: April 17th, 2009

Hacking into an organisation’s computer systems is becoming less newsworthy and only the most high profile cases are now reported. This does not mean the problem is going away, but that it is becoming more commonplace. Improved security measures result in more innovation in hacking and this led to an approach of ‘beat them at their own game’. Security advisors now play the role of hackers and look for ways to break through the security shield. This article explains how penetration testing was applied in Derbyshire County Council.

With 37,000 employees, Matlock-based Derbyshire County Council is among the largest local authorities in the country. The council recently became one of the few in the East Midlands to be rated as “excellent” under the Audit Commission’s ‘Comprehensive Performance Assessment’. This achievement reflects a focus on maintaining high standards throughout the organisation, as demonstrated by a commitment to implementing robust security solutions and rigorous working processes in order to ensure that sensitive data and systems are fully protected.

To achieve these goals, the Council undertook a procurement exercise to deliver internal penetration testing on its server infrastructure. Sapphire was successful in obtaining the penetration testing contract. Penetration testing is the security-oriented probing of a business’s computer system or network to seek out vulnerabilities that an attacker could exploit. Typically assessments are made against all types of networks and applications including wireless networks, VoIP networks, PSTN telephone networks and web applications.

The testing team focused on identifying weaknesses in the systems, demonstrating and quantifying those vulnerabilities and then reporting on the countermeasures required to mitigate or eliminate them. Six months later the security advisor revisited to check if the original vulnerabilities had been addressed and to ensure that no new weaknesses had emerged.

Why penetration testing?

There are a broad range of reasons why penetration testing is becoming more popular today. Organisations of all sizes across the public and private sectors should be aware of the limitation of their security technologies and procedures.

For any organisation considering penetration testing, the arguments in favour are compelling. If it has data, systems or applications that it believes are worth protecting, then it will be a sensible approach to take. It is relatively inexpensive to carry out but the consequences of not doing so could be severe.

The potential losses from hackers or rogue employees exploiting the weaknesses of a company’s internal networks are enormous. Equally, many organizations face heavy fines for neglecting due diligence or failing to ensure regulatory compliance and these penalties are becoming more severe all the time.

Commissioning an assessment gives organisations, and critically also their customers and partners, reassurance that security technologies are in place and functioning correctly. It provides the peace of mind that comes from knowing that software, servers, workstations and infrastructure are working to protect the critical business data and reputation of the enterprise from external or internal attack.

Equally, when making changes to network infrastructure, testing is an excellent way to ‘prove’ those changes by identifying any weaknesses exposed or corrected by the work. It can also be used to pinpoint potential vulnerabilities when connecting new services or applications onto a live network.

Changing Attitudes

Today, organisations are starting to wake up to the fact that it is far better to commission a security advisor to investigate and pinpoint weaknesses in their systems for them, than to have those vulnerabilities ruthlessly exploited by an external attack.

This enhanced awareness is partly due to the emergence of regulations like ISO27001 and the Payment Card Industry standards, for example, that specify that penetration testing needs to be carried out on a regular basis, and partly the result of greater general understanding of the benefits of the approach.

Tightening security in Derbyshire

Phillip Spencer, Principal Auditor and IT Manager, Derbyshire County Council commented, “We believe in doing as much as possible to demonstrate that we are actively improving the security of our networks. By carrying out penetration testing, we are highlighting the fact that we take security extremely seriously and are taking all reasonable steps to ensure that our systems and the data they contain are fully secure.

While we have internal staff who are focused on network security, we also like to have an annual independent validation of the quality of the network security and the areas that we need to address to improve this quality. To deliver this level of assurance, we need to be working with a credible market player and a security provider that we are confident that we can trust in providing independent assurance that the network is robust and secure. On both counts, Sapphire fits the bill perfectly.”

Positive Relationship

It is a critical requirement for any local authority to keep all data, and particularly personal data, secure and to ensure that the network and applications which contain that information are sufficiently robust to protect it. The work carried out by Sapphire has played a key role in enabling the Council to meet this requirement.

The Council values Sapphire’s ability to deliver high-quality work within agreed timeframes. Another key factor in the success of the working relationship has been the flexible and responsive approach, which Sapphire has shown at all times

As Philip concludes “Sapphire is a very approachable company. Everyone with whom we have had any contact from the receptionists and administrative staff to the technical consultants has been extremely helpful”.