WA Council finds pen tests make a difference

Outsourcing a penetration test and vulnerability assessment has helped the City of Melville understand its security needs.

The City of Melville, in Western Australia, serves the needs of over 94,000 residents by providing more than 85 diverse services. With a significant focus on its security management process, the City of Melville recognised the value in contracting a vulnerability assessment and penetration test against its network to identify potential vulnerabilities in its network infrastructure.

The City wanted to help protect servers which may allow a network worm or malicious internet user to access the City's systems. Following internal and external assessment and testing of the network and network devices, the City would then develop an action plan to mitigate any vulnerabilities that may be reported before a real life security incident could take place.

Alphawest was selected by the City of Melville to conduct the vulnerability assessment and penetration testing exercises due to the strength of its security team and experience in conducting vulnerability assessment services.

Alphawest's testing methodology is based on current network security best practices and incorporates many elements from the Institute for Security and Open Methodologies (ISECOM) open source security testing methodology manual (OSSTMM).

The vulnerability assessment of the internet and internal systems was conducted with ISS internet scanner. This involved an assessment from an external perspective (from the internet side of the firewall) and of all internet facing devices, an assessment of the City's LAN to attempt to identify all devices connected to the network and a detailed vulnerability assessment on all network devices and servers. The results were presented in statistical and technical reports giving detailed instructions on how to resolve issues identified.

The City's wireless infrastructure, firewalls, switches, routers and servers were subject to the detailed assessments. The assessments were scheduled and conducted in a manner to ensure that there was little impact on business applications.

In penetration testing, an attempt was made to compromise the security of the targeted systems to gain access to protected information and resources. Instead of providing an exhaustive list of vulnerabilities, Alphawest's goal was to demonstrate the vulnerabilities of the systems and to leverage vulnerabilities to yield further access to protected resources. Rather than being a cooperative process, penetration testing simulated the actions of a malicious entity attempting to gain access to the City's IT systems.

The vulnerability assessment and penetration testing conducted by Alphawest has helped demonstrate that the security controls we have in place are effective in reducing the threat of internet-based attackers. "It has reaffirmed our commitment to provide ongoing investment and focus on IT security" said Jon Stoate, IT manager at the City of Melville. "We look forward to undertaking further assessments and testing periodically to compare the results from successive assessments to ensure that our level of security for our systems is increasing over time."

Read more on Data breach incident management and recovery