Friday | 19 March, 2010
CSO
3 Ways Pen Testing Helps DLP (and 2 Ways It Doesn't)
Orbitz CISO Ed Bellis says penetration testing is a valuable tool in his data loss prevention arsenal. But it won't help him find everything.
Bill Brenner 02/04/2009 09:15:00
Tags: DLP, pen testing
Page:

Penetration testing's future has been caught in heated debate recently, sparked by Fortify Co-Founder and Chief Scientist Brian Chess' prediction that the practice would die off this year. [See: Penetration Testing: Dead in 2009]

Many IT security practitioners rose to pen testing's defense, calling it an indispensible tool for uncovering data breach attempts from inside and outside the organization.

Move away from the security vendor perspective and one will almost always find that the truth is somewhere in the middle. That's been the experience of Ed Bellis, vice president and chief information security officer for Orbitz. During a presentation at last week's CSO Executive Seminar on Data Loss Prevention, Bellis described pen testing as one of many important tools in his arsenal to protect the sensitive customer data that flows throughout Orbitz's cyber pipeline.

"There are two sides to every story, including the one on pen testing," Bellis said, suggesting that vendors like Fortify will always make sweeping predictions about a technology's future while promoting its own products.

Pen testing has indeed been helpful in detecting weaknesses in Orbitz sprawling network, which includes data centers around the world with thousands of hosts and a cornucopia of internal applications that include an agent desktop, home-grown software to process transactions and back-end security controls. "The number of apps we deal with goes into infinity, and you need a variety of security tools to protect them," he said.

Zeroing in on pen testing, Bellis outlined three specific areas where the craft has proven its worth, and a couple areas where its usefulness is more limited:

Pro: Social Engineering Finder

Social engineering has always been a sure path to a company's sensitive data, and Bellis has found that the weak link is usually an insider who is trying to be helpful with no inkling of the dangers.

"Pen testing will help you catch people who try to use social networking to work their way into a call center," he said. "People working in the call center can be overly helpful when they're trying to help customers, and they can and do get burned in the process."

In this scenario, the pen tester can go hunting for cases where a call center employee is opening the door too wide. Then, those weak links can be addressed, Bellis said.

Page:
More about Gartner, ISO, LP, Orbitz, etwork, DLP, Symantec

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Enter the fully qualified URL, eg. http://www.example.com/
Users posting comments agree to the CSO Online comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Add to Google
More about DLP
More about DLP >
Additional Resources
Newsletter Subscription
Sign up for our CSO Online newsletters!
RSS Feeds
Syndicate content Syndicate content Syndicate content
 
Get a job Careerone
Whitepaper


Read Whitepaper

Making the move to Ethernet | A DECISION GUIDE

While enterprises today need higher bandwidth, there is increasing demand for solutions that can provide scalability, performance, simplicity and control at lower costs. Get the best of both worlds - read about Ethernet adoption today.

Sponsored Links