Technically, no, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) does not specifically require penetration testing. But stick with me, because there are some important nuances to make note of here. While the act never specifically calls out vulnerability scans or penetration testing, there are a number of industry experts and standards organizations […]
We often get asked, “what is the typical timeline for a penetration test?” The projected schedule can often dictate the business decision around which penetration testing firm to ultimately go with. When you’re under a tight deadline, it’s helpful to get a better idea of what to expect when contracting for a penetration test. While […]
Among the security testing that PCI DSS v3.2 requires is external penetration testing. External penetration testing is becoming a regular part of security practitioner’s vocabularies, with seemingly every security standard requiring it and any mature security program identifying its importance. The requirements surrounding a PCI external penetration test have some specific nuances that are worth […]
We’ve discussed many of the different kinds of testing that the Payment Card Industry Data Security Standard (PCI DSS) requires previously. Among those requirements for many organizations is segmentation validation testing. Segmentation refers to the either physical or logical separation of portions of the network to prevent unnecessary communication channels. In the case of PCI, […]
Internal penetration testing takes the perspective of a malicious individual that is connected to your organization’s corporate network. This style of penetration testing has a similar goal to external penetration testing (find sensitive data, take administrative control of the network, etc.), but provides a completely different attack surface for the assessment team to analyze. This […]
Internal penetration testing is a specific flavor of penetration testing that takes place from within your organization’s network. This testing is specifically designed to emulate a malicious insider or an external attacker that gains a foothold on the network. While the concept is pretty straightforward, there are some interesting nuances when you talk about internal […]
Unfortunately the age old adage “you get what you pay for” has never been more true than in the penetration testing industry. We often hear from potential clients that are seeking a new penetration testing partner because they had previously gone with the cheapest quote and are now “paying the price” (pun intended). A response we […]
A lot of companies, from small businesses to Fortune 500s, have to deal with the Payment Card Industry Data Security Standard (PCI DSS). Depending on your size and business processes, a lot of your work with PCI could simply be verifying that third-party service providers maintain PCI compliance. But we’ve seen that even something so […]
We often get asked what is the easiest way to prepare in order to improve the results of your penetration test. Whether it be to ensure your regulatory compliance, provide a clean penetration test report to a potential customer, or just to better your overall security posture, having a penetration test with fewer critical findings […]
Compliance with the Payment Card Industry Data Security Standard (PCI DSS) can be a daunting task for many organizations. Understanding what’s expected of you can be hard enough, but then deciding on a strategic path forward to reaching a state of compliance and maintaining that posture can be incredibly complex. If you don’t do it right, […]
