Earlier this year, Customs Trade Partnership Against Terrorism (CTPAT) released guidelines for minimum security criteria to be used by CTPAT members. This includes physical security as well as cybersecurity.
CTPAT is open to members of the trade community who demonstrate that their security practices are in place and who have not had any significant security events. It is a voluntary program, and the trade community consists of exporters, importers, carriers, foreign manufacturers, and more.
Some of the new guidelines for security practices include written policies and procedures, installation of specific safeguards, and regular testing of the security of their IT infrastructure. Many of the policies and procedures requirements and safeguards can be reviewed through a security risk assessment. This assessment would determine things like identifying unauthorized users, user access restrictions based on job roles, individual accounts for each person, and remote access if applicable. All of these are requirements based on the CTPAT Minimum Security Criteria.
The other requirement of regularly testing the security of the IT infrastructure can be done with network penetration testing. CTPAT states that a “secure computer network is of paramount importance to a business, and ensuring that it is protected requires testing on a regular basis. This can be done by scheduling vulnerability scans.”
Not to be mistaken as penetration testing, vulnerability scanning is an automated process that only detects the known vulnerabilities within a network environment. This does not include the manual labor of verifying false positives or detecting default credentials on a firewall or server. Penetration testing uses the extra leverage of a vulnerability scan to try and identify a hole by which a malicious user can gain access into the network. This is why network penetration testing is so important within a company. MainNerve utilizes ethical hackers to act as malicious users to scour and detect holes within the network that can be easily hacked.
As attacks become more sophisticated, a vulnerability scan may not be enough to tell if you have significant security flaws or vulnerabilities. To learn more about the differences between penetration testing and vulnerability scanning, check out our post.
At MainNerve, we highly suggest conducting a penetration test annually. We can perform vulnerability scans quarterly or six months after the penetration test to help ensure that there are fewer vulnerabilities throughout the year.
While we understand it can be difficult to justify spending money on a penetration test if you haven’t already been doing so, the benefits surely outweigh cost of a hack. Being proactive ($) is always better than being reactive ($$$$). Contact MainNerve for one of our sample reports so you can see what type of findings might be identified in your network. That way you can be sure to meet all the CTPAT security criteria.