Earlier this spring, the FTC proposed changes to the Gramm-Leach-Bliley Act (GLBA), the law that requires financial institutions to safeguard sensitive customer data. If passed, the changes would create new infosecurity requirements for a large number of companies, building on the ideas laid out in New York State’s NYDFS Cybersecurity Regulation.
Organizations of many kinds will need to keep an eye on this proposal, since it would cover more than just your garden variety financial services company. Whether you’re a college that issues student loans, a real estate appraiser, a retailer that issues your own credit cards to customers, or any other business that processes, stores, or transmit personal financial, banking or economic data, you’ll need to comply.
More than just expanding the definition of a “financial institution,” however, the proposal would require changes to the ways companies protect consumer information they collect. Notably, organizations that process data on more than 5,000 customers will need to perform penetration testing and vulnerability assessments, on top of continuous monitoring and testing.
That last distinction – between penetration testing and vulnerability scanning – is one that’s often overlooked, but vastly important. In fact, New York’s recent cybersecurity regulations were the first time we’d seen the delineation between penetration testing and vulnerability scanning codified into state-wide regulations. Now, with the FTC looking to follow suit, let’s take a look at what that really means. What’s the difference between the two, and why is it so noteworthy that both are required by New York State – and could soon be required by federal law?
Penetration testing has been long understood as an essential component of security. According to the PCI Security Standards Council, penetration testing identifies ways to exploit vulnerabilities to circumvent or defeat the security features of system components:
“There are three types of penetration tests: black-box, white-box, and grey-box. In a black-box assessment, the client provides no information prior to the start of testing. In a white-box assessment, the entity may provide the penetration tester with full and complete details of the network and applications. For grey-box assessments, the entity may provide partial details of the target systems. PCI DSS penetration tests are typically performed as either white-box or grey-box assessments. These types of assessments yield more accurate results and provide a more comprehensive test of the security posture of the environment than a pure black-box assessment. Black-box assessments offer very little in the way of value for PCI DSS penetration tests, since the entity provides no details of the target systems prior to the start of the test, the test may require more time, money, and resources to perform.”
Vulnerability scanning, on the other hand, means that you’re looking for unknown – or zero-day – vulnerabilities. The purpose is to identify, rank, and report vulnerabilities that, if exploited, may result in compromise of a system. This type of scanning identifies ways to exploit vulnerabilities to circumvent or defeat the security features of system components. This is usually done quarterly or after significant changes and should be done any time changes occur.
Through mainframe vulnerability scanning, we can uncover new vulnerabilities – ones that are flying under the radar and placing organizations at risk. KRI’s z/Assure® Vulnerability Analysis Program (VAP) tests and monitors running code for zero-day vulnerabilities, helping organizations stay secure.
These two functions – penetration testing and vulnerability scanning – are both essential to an organization’s security strategy. Without penetration testing, you can’t tell which “known” vulnerabilities you have, and without vulnerability scanning, you won’t discover what “unknown” vulnerabilities are threatening the security of your business. But with both, organizations get a more complete picture of their vulnerabilities, allowing them to ensure the security of their mainframes.
That’s why we’re glad to see the delineation in the FTC proposal, after successful implementations in NYS – and across the pond, with GDPR. When businesses are responsible for both known and unknown entities, it ensures that our businesses, and our data as consumers, are more secure.
Visit our website to learn more about Key Resources, Inc.’s mainframe vulnerability scanning software.