Avoid Being Hacked: Perform a Network Penetration Test
August 4, 2020
The FBI and FinCEN have issued advisories warning of increased cyberattacks aimed at stealing money, personal information or both. Want to protect your computer network from being hacked? Experts say companies should perform what’s called a “Penetration Test” to find any vulnerabilities in your network.
“A penetration test simulates an attacker attacking a network. The goal of a penetration test is to identify real-world vulnerabilities that would be valuable to an attacker,” explained Alex Lauerman, founder and principal consultant at TrustFoundry, an internet security firm based in Overland Park, Kan.
In effect, when you perform a penetration test, you pay a company to try to hack your system, find inroads and repair them before hackers can exploit them.
“Penetration testing identifies many vulnerabilities before attackers do,” Lauerman said. “Unfortunately, it is easy to make small configuration or technical mistakes (when setting up a computer network) that can put large amounts of sensitive information at risk. These mistakes can be difficult to identify, although attackers are experts at finding and exploiting them. An attacker only has to win once, especially on an internet-facing server.”
Recently, Punctual Abstract, a real estate title abstracting firm headquartered in Harvey, La., hired TrustFoundry to perform a penetration test on its external network.
“When our customers order title evidence from Punctual Abstract, they trust that we will provide accurate information,” said Punctual Abstract CEO Ted Woloszyk. “Our responsibilities don’t end there. We need to make sure our title evidence is held in a secure manner and that we do not leave that information vulnerable for someone to steal it. Even though the information we gather is public record, it is sensitive when you bring it all together and put it in one spot.”
Punctual Abstract’s proprietary software integrates with several of the industry’s settlement services platforms, allowing title agencies to automate the creation of real estate closing documents utilizing property research conducted by Punctual Abstract. This information is transmitted over the internet, which is another reason why network security is crucial. Hence, the penetration test.
“It’s all about trust and integrity. We want our customers to know we’re doing the right thing even when no one is looking,” Woloszyk says. “Our customers don’t want to be doing business with companies who don’t have proper control of their data.”
Lauerman says when companies go shopping for network security tests, it’s important to know what you’re buying. There is a difference between a vulnerability assessment and a penetration test. He explains that a vulnerability assessment is primarily an automated assessment, which combines the information from multiple tools and is validated to remove false positives. Penetration testing digs much deeper to find and exploit vulnerabilities, such as weak credentials, advanced web application issues, and exposed assets and information in various places that the company may not know about.
“Penetration testing is an important part of a security program,” Lauerman said. “A company that conducts penetration testing is more likely to keep their customer’s data secure. Penetration testing is an increasingly common requirement for companies, driven both by their customers and also internal pressure to uphold and maintain data security.”
Most frequently, penetration testing is performed once a year, although it’s up to the company to determine what is warranted. The industry is moving towards more continuous testing to help identify any changes that may occur throughout the year.
For most companies with a moderate amount of public-facing infrastructure, the cost of external network penetration testing is between $5,000 and $15,000.
Punctual Abstract’s IT staff was able to make several changes and improvements as a result of TrustFoundry’s penetration test.
Woloszyk says those fixes help him to have peace of mind. Yet, the company remains vigilant by training staff in practices that protect Punctual Abstract’s data integrity. “It’s an ongoing process,” he said.
Upcoming Webinar
Register for ALTA's next Title Topics webinar, which will be held from 1:00-2:00 p.m. EDT, Aug. 19, as industry experts hare information and explain why and how title and settlement companies should examine their computer system security by running penetration tests.
Contact ALTA at 202-296-3671 or communications@alta.org.