Full Text

The New York State Office of Cyber security and Critical Infrastructure labored for several years to protect its networks and information technology assets with layers of security. It tightened existing IT policies, procedures and practices and instituted new ones, conducted gap analyses and established plans for mitigating security breaches.

Since then, the state has conducted regular scans to detect IT vulnerabilities - the equivalent of looking for frayed threads that can unravel and leave an agency's networks and systems exposed.

The state will soon throw another protective blanket onto the pile. For the first time, it will try to hack into its own systems. For IT professionals, penetration testing is the ultimate security measure.

Penetration testing goes beyond tapping at the door, said William Pelgrin, chief cybersecurity officer of New York's Cyber security and Critical Infrastructure Coordination. "It's breaking through the door."

New York officials haven't decided who they will let try to break through the door. Until recently, penetration testing was the exclusive purview of highly skilled technicians who employed extensive toolkits of specialized programs to probe and exploit system and network weaknesses. A deepdive penetration test could take weeks to complete and cost hundreds of thousands of dollars.

But new automated tools promise to do the job more quickly and at less expense. Among those is Core security Technologies' Core Impact, which the company says can run a meaningful penetration test in a few hours. The company charges an annual fee of $25,000 for an unlimited-use license. State and local chief information officers and chief information security officers say they must evaluate the pros and cons of the new software options, including open-source applications such as Metasploit.

A growth Industry

So when does it make sense to use an automated penetration test?

Advocates of the new tools say the applications give in-house security professionals more control, including the ability to perform penetration tests as often as they want. Critics of...