Walsall Housing Group is 'safe as houses'
Owning and managing over 20,000 properties throughout Walsall, Walsall Housing Group (whg) is a group of non-profit making housing trusts, providing affordable, good quality homes and housing services to the local community, delivered by well trained, professional colleagues.
Owning and managing over 20,000 properties throughout Walsall, Walsall Housing Group (whg) is a group of non-profit making housing trusts, providing affordable, good quality homes and housing services to the local community, delivered by well trained, professional colleagues.
As part of this, Phil Pettifer, network and security manager for whg, has to ensure that the IT systems that support his 700+ colleagues daily activities run smoothly and securely.
He explained: "I originally contacted Peapod Consulting to provide a health check, from the experts, as I wanted to make sure that we were secure from both external and internal threats.
"Although I felt that whg had adequate protection, I was aware that virus and malicious attacks can, and often do, occur and had suffered one instance of a virus, affecting laptop users, which was quickly quarantined and easily eradicated."
There are many reasons why organisations, such as whg, choose to have the exposure of their corporate network to attackers independently assessed.
These include: financial regulation, maintaining confidentiality of information & reputation, measuring third parties security performance, conforming with industry best practice, detecting known security flaws, detecting human errors, applying corporate due diligence and merely to have peace of mind.
Phil Pettifer said: "It's peace of mind to some extent. It's nice to know that a third party has looked at the system and can say how secure it is, in addition to getting that extra bit of knowledge that sits above what we know.
"In Peapod Consulting, we've got a company we can rely on and trust to bring to our attention something that we weren't aware of and need to know. In a sense, it's like a crutch to have that level of support if, and when, you need it."
The relative impact of a security breach to the organisation will vary for different information assets within it. Consider: what are the implications should any sensitive assets, research or personal information be disclosed? What effect would un-authorised changes to data have on the day-to-day running? What effect would an hour's downtime have? 4 hours? 8 hours?
Security testing does have some implications that must be managed by the organisation. Common to all the testing approaches is that they will run port scanning tools to detect what services are being offered by a system (e.g. web, mail).
Scanning a system for the presence of all such services can generate a fair amount of traffic and connection requests, so testing will consume some network bandwidth and system resources.
Phil added: "We did have one instance where the consultant advised that there may be a risk of some disruption to an application that was being tested. He was right, there was a little disruption, but we were prepared for it and were therefore able to manage it effectively."
The biennial DTI Information Security Breaches Survey 2006 illustrates that the average cost of a security incident in 2005/6 varied from £8,000 to £130,000 dependent on size of business.
Phil said: "There is definitely merit in having regular tests because of new threats and vulnerabilities that come out during the year that they're aware of, and we're not, that leave us open."
As the bulk of a penetration test consists of manual effort the extent of its findings can be very dependent on the experience and quality of the individual tester and the amount of time they are able to spend on the investigation.
It is important to use experienced, qualified testers with recognised security testing credentials and who have support procedures in place, i.e. secure handling, management and destruction of the data obtained during the test.
Phil added: "On its first inspection, Peapod Consulting were able to identify some medium risks that could potentially unlock our system. Since then they've conducted a further two tests, at regular intervals, and each time we've got better.
"Even so, with their knowledge and experience, they've still been able to access something that we hadn't expected them to and it has taken us by surprise. That's where Peapod Consulting's expertise really comes into play."
Penetration test reports are delivered as written documents complete with executive summaries, impact scenarios, technical detail and appendices of low level tool output and findings. They will give recommendations for remedial action.
Phil explained how the tests benefit whg: "On our last test, we received a very good report, which stated we were the best Citrix site it had been to. Even with this endorsement of our achievement, Peapod Consulting were still able to highlight a few vulnerabilities that were new to the marketplace, tried to exploit them and, although we were very low risk of them being exploited, they were still there.
"This is brilliant for me to use in reporting back to the Board to show where funds are being spent, resources needed and demonstrate value in these investments that benefit the whole organisation.
"With the knowledge that Peapod Consulting will keep me informed of anything that needs to be brought to our attention and if necessary we can bring the testing calendar forward, this gives me great peace of mind."
Reproduced from an article published by 24dash.com
© 24dash.com
The original article can be viewed here:
http://www.24dash.com/socialhousing/29706.htm
Permalink Bookmark Digg this story
