Is penetration testing breaking Herts on the internet?

County council turns guns on itself...

County council turns guns on itself...

Hertfordshire County Council has signed a deal with security firm NetSec to run penetration testing on its systems - a process of replicating hacking techniques to test the robustness of security measures in place.

NetSec, recently acquired by MCI, will run testing on all the council's websites, systems and networking resources as well as applications developed in-house and by external third parties.

Dave Mansfield, telecoms services manager at Hertfordshire County Council, told NetSec will be running two levels of 'attack'. One involves an automated system of vulnerability testing, the other, a more manual approach, involves an off-site team running social engineering-based, and the latest physical hacking, techniques.

Councils are increasingly having to adopt more secure methods of communication as more and more functions and facilities move online.

"Because we are local government we tend to adhere to all edicts which are handed down. A lot of the information we handle is very sensitive such as the at risk kids register," added Mansfield. "We're probably a little paranoid but I think paranoia is a good starting point for good security."

'Ethical hacking' and penetration testing is becoming an increasingly important aspect of security with companies and organisations not willing to wait until somebody with criminal intent comes knocking before they discover where their vulnerabilities may exist.

Rob Chapman, founder of the Training Camp which runs a certified ethical hacking course, told demand is definitely growing for skills in this area.

One of the most important issues is that "too many people trust the vendors to tell them whether their software is secure," said Chapman. And while no vendor would deliberately ship insecure software it doesn't mean vulnerabilities don't exist in a great many applications used widely.

Mansfield agreed. "I personally think people have to look more and more at the application side. Application testing is the next big thing."

"We might buy the latest Microsoft product and roll it out but we know from attacks such as Blaster and the like that it doesn't stop there. We're now trying to pre-empt that."

"You can have all the firewalls and antivirus in the world but if you're running insecure systems then those defences might as well not be there."