Covert IT Security

Bonvillain (whose too-good-to-be-true surname is, in fact, real; “I was born to do this job,” he says) explains that the drama of penetration testing adds to its effectiveness. “The impact of actually showing [security gaps] to clients is a powerful driver for real change,” he says. Sometimes the in-house security team “will have said the same things we’ll say in our report,” only to see their warnings brushed off due to budget concerns. In those cases, penetration testing may serve as a wake-up call.

That, Bonvillain says, is one reason why companies hire firms like Accuvant or NetSPI to conduct tests instead of delegating the task to their own security people. “Also, we’re better at it,” he says, referring to his 25-member team.

Scout, Then Invade

Penetration testing on a periodic basis is now required in some industries by legislation or trade-group regulations. Examples include the Gramm-Leach-Bliley Act in banking, the Health Insurance Portability and Accountability Act in health care, and the payment card industry’s data security standards, established by credit card issuers (Visa, American Express, et cetera) for merchants who accept their cards.

Penetration testing companies do most of their business in industries subject to such regulations. But security requirements imposed by outside agencies aren’t the only force prodding clients to conduct penetration tests. Every organization that stores sensitive information about customers, employees, or business practices has a vested interest in protecting it. Some worry about competitors and even foreign governments that are constantly on the prowl for ways to steal intellectual property.

And nobody wants to suffer embarrassment like that inflicted in 2007 on TJ Maxx. In that notorious case, regarded as the biggest data breach ever (although a January network security breach at New Jersey–based payments processor Heartland Payment Systems may surpass this), hackers parked outside a Marshalls’ department store in St. Paul and used an antenna to pick up wireless signals from hand-held payment scanners. They were then able to decode the data, break into parent company’s database, and steal the credit and debit card data of an estimated 47 million customers.