Tuesday, October 4, 2016

SEC Business Breakfast: The Future and Value of Penetration Tests

Deutsche Zusammenfassung unten.


The good ol’ pen tests: well-known system evaluation, but also valid documentation in light of the EU general data protection regulation (EU-DS-GVO)? At the past SEC Business Breakfast on September 23 in Vienna, General Manager Markus Robin explained, how penetration tests will need to change to provide companies with truly relevant information – as well as legal protection.


(c) Corporate Identity Prihoda 2016
Penetration testing has been a proven method to evaluate system’s durability since early 1967. While all of the attendants of the SEC Business Breakfast already use penetration tests, Markus Robin claimed three critical key points as relevant changes for the future of pen tests in companies: 

Frequence and Scenario-Cases Are Crucial


“We will know when we’re under attack.” That’s an argument Markus Robin hears often enough regarding the frequency of pen tests. “If you just realise it then, it’s too late. Waiting is not a wise and efficient measure, especially with regard to compliance regulations”, Robin sums it up. Penetration tests should be performed periodically: ideally, more than once a year and with concrete attack-scenarios in mind – considering new attack-vectors and ongoing technical innovations. To give another example, DDoS benchmark tests should be done quarterly.

Bringing Knives to a Gunfight: Equality of Arms


Facing APTs and professional cyber criminals it’s clear that penetration tests can’t run completely by themselves, even though most of them do. It’s about equality of arms, as Robin said: “Many companies use automatic tests, but it should be around 20 % automation, 80 % brain. You need people who can interpret the results, otherwise the report won’t be as meaningful as it could be.” Companies should consider appointing own experts to be able to react as soon as possible in case of anomalies.

Leading Organisations Demand Documentation


“Companies learned that security is an issue that needs to be considered from end-to-end”, said Markus Robin. Not only do companies demand documentation about set security measures from their partners or suppliers increasingly, but the legislation as well: The EU-wide data protection regulation comes into effect on 25 May 2018 and will put everyone under documentation duty. “Penetration tests can’t be the only form of documentation, that’s for sure. But it’s going to be an important evidence in question of data security and protection”, highlights Robin the upcoming added value.


Join the next SEC Business Breakfast to be updated about cyber security issues & to discuss with the SEC Consult Experts on site. Upcoming topic: EU Data Protection Regulation and its effects on your business - REGISTER NOW!



About the SEC Business Breakfast

SEC Business Breakfast is a networking series by SEC Consult about actual cyber security topics that addresses chief information officers. A casual environment with delicious breakfast provides space for networking and discussions but also insights and tips from security experts.


*****

SEC Business Breakfast: Die Zukunft & der Wert von Penetration Tests


Die guten alten Penetration Tests: bewährte System-Beurteilung vor DDoS-Attacken, aber auch valider Nachweis im Rahmen der EU-Datenschutz-Grundverordnung (EU-DS-GVO)? Beim vergangenen SEC Business Breakfast am 23. September in Wien erklärte General Manager Markus Robin, wie sich Penetration Tests ändern müssen, um Unternehmen künftig mit wirklich aussagekräftigen Informationen zu versorgen und gleichzeitig als rechtliche Absicherung zu dienen.

Nutzen Sie die Gelegenheit um mehr über aktuelle, sicherheitsrelevante Themen zu erfahren und sich mit unseren Experten vor Ort auszutauschen. Unser nächsetes Thema: EU Datenschutzgrundverordnung und Ihre Auswirkungen auf Ihr Unternehmen - MELDEN SIE SICH JEZT AN!