Penetration test pictire


This post pertains to penetration testing as a means for compliance with DFS 23 NYCRR 500. 

The New York State DFS 23 NYCRR 500 regulation is designed to protect consumers by ensuring that banking, insurance & financial institutions are following safe cybersecurity practices to protect consumer’s private information. There are several ways to comply with the regulation and tighten an organization’s security. Among the following methods for complying with New York State DFS 23 NYCRR 500 is penetration testing (pen testing).

What is penetration testing?

Penetration testing, also known as a pen test, involves exploiting security vulnerabilities in a network, program or application within your company. This is a form of ethical hacking where a penetration tester or ethical hacker deliberately tries to break into a corporate network by using the same means a normal hacker would use; thus illustrating the loopholes in an organization’s security measures.

Why should pen tests be done?

Penetration testing for your organization should be done for various reasons. Pen tests uncover exploitable weaknesses in your organization.  Failing to acknowledge these weaknesses to your organization can lead to theft, downtime, and loss of clients along with legal ramifications. Pen tests allow organizations to tighten up their applications, networks, and endpoints to combat external threats. Additionally, a pen test allows you to simulate how a hacking attempt on your organization would unfold if it were to occur. You can give or withhold company information to a pen tester and see how that will affect the hacking attempt on your company. You can alter other configurations on the pen tests such as sharing the physical location of your company and what systems to target. Pen tests where the ethical hacker has no knowledge of your environment are known as black box pen tests.  With some knowledge of your environment, hackers can carry out “gray box” pen tests.  White box pen testing involves you sharing with your ethical hacking team explicit details of your network layout and sensitive targets.

How do pen tests help you comply with 23 NYCRR 500?

For Compliance with section 500.05 of DFS 23 NYCRR 500, organizations have two options:

  1. Employ continuous network security monitoring by building out or leveraging a security operations center (SOC).
  2. Perform annual penetration testing and bi-annual vulnerability assessments.

Some companies do both.  Pen testing can validate that your SOC is seeing actual attacks as they happen.  SOC monitoring gives you continuous monitoring in between pen tests and 24x7x365 eyes on glass, including after hours.

Pen testing provides your organization with an answer to the question “If a determined hacker tried to get in, how far could they get?” The reporting provided by a pen test will showcase your organization’s due diligence and help avoid any monetary or legal penalties that accompany non-compliance. Pen tests also help test your security and incident response protocols. When an ethical hacker goes through the steps to infiltrate your environment, your organization can see exactly where security controls were compromised, and a response plan can be crafted. This allows you to mitigate the risk of external threats while having a proactive response to any possible breaches.

Leverage our expertise in compliance with DFS 23 NYCRR 500 by contacting us today.