Many of the requests that we receive are limited in scope to Internet facing assets. A true understanding of the threats facing your networks requires a complete evaluation of all possible threat vectors. So what kinds of vulnerabilities does an internal test find that an external would miss? Schellman was recently engaged to perform an external and internal penetration test for a software development firm. The external test revealed very little about the company. Strong firewall rules opened only the most necessary of ports (80 and 443) to the Internet. All external facing servers were well patched, running modern operating systems and lacked any exploitable vulnerability. However, the internal assessment told a completely different story. We began the test with no credentials on a “rouge device” that was placed on the internal network. A database server running an automation tool exposed a scripting console that allowed unauthenticated commands to be run on the underlying OS. A VBS script that downloaded an executable was run followed by another VBS script that executed the shell program. With this foothold, we impersonated the token of a database administrator who also happened to be a Domain Administrator. A few commands later, we’d taken over the domain. If our client had only engaged us for an external test, none of this would’ve been found.

HITRUST Basics The HITRUST set of security controls and safeguards (referred to as the ‘CSF’ or ‘Common Security Framework’) was developed using a risk-based approach to address the multitude of security, privacy, and regulatory challenges facing healthcare organizations. It includes control points derived from the HIPAA, HITECH, NIST, ISO, PCI, FTC, COBIT frameworks, as well as federal and state privacy laws.

One of the most effective ways of approaching professional development is by using collaborative approaches. Or, as Eleanor Roosevelt once said, do one thing every day that scares you. I imagine that might be just as effective when it comes to professionally developing oneself and, as a result, personal skills with it. Here are three areas to consider dedicating attention to on the job if you desire to take personal development to new heights.

NOTE: Schellman has since updated and expanded this information in an article found here.

“We shall defend our island…we shall fight on the beaches, we shall fight on the landing grounds, we shall fight in the fields and in the streets, we shall fight in the hills; we shall never surrender.”

NOTE: Schellman has since updated this content, which you can find here. According to the Identity Theft Resource Center, we saw 781 data breaches in 2015 that totaled hundreds of millions of stolen records, many of which included personally identifiable information about customers—names, addresses and Social Security numbers.

“Scientia potentia est”. “Knowledge is power”.

A recent Experian Data Breach Resolution and Ponemon Institute study discovered that 55 percent of companies have experienced a data breach due to employee error, and 60 percent of companies believe their employees do not know about the company’s security risks. Furthermore, 66 percent of survey participants admitted that employees are their biggest challenge when developing and implementing data security protocols.