Pro: Legacy App Finder
As Bellis mentioned, the number of applications in use within Orbitz goes into infinity. Buried among them are apps that have been around forever but may no longer be in use. Yet they are sitting on the network, replete with vulnerabilities waiting to be exploited by a data thief.
In this case, pen testing is helpful.
"Pen testing is a great way to pinpoint legacy apps that are potential trouble -- apps you built years ago that aren't going anywhere," Bellis said. "You'll find apps you didn't know you had."
Some of those applications are easily exploited by company insiders with malicious intentions, including those who have just been laid off. In a separate presentation, Symantec Corp. Data Loss Prevention Senior manager Jenny Yang mentioned a study the company recently conducted with the Ponemon Institute in which 59 percent of those surveyed admitted to stealing confidential company information on the way out the door.
Yang noted that the most common method of data lifting in this case is to put the data on a CD or USB stick. Those methods often involve accessing some of the legacy applications that are a doorway into the more sensitive data stockpiles. "To deal with this, you need to find out where the sensitive data resides, understand how it's used and prevent it from being downloaded," she said.
Pen testing is a useful tool for that task, Bellis said.
Pro: Logic Flaw Finder
Another weak link on a network is a logic flaw -- a vulnerability that can allow someone to access data that appears safe on the surface. Bellis said this is another area where pen testing is useful. "It often takes a person to find a logic flaw [as opposed to automated security tools] and you often find that you don't have to be a hacker to exploit an application in ways not intended," he said.
Example: Many online public relations services like Business Wire store embargoed press releases -- those not meant to be released until a specific date -- on site in an area thought to be closed off from the viewing public. But logic flaws can enable a competitor to access them. In one case, Bellis noted, an Estonian financial firm was able to use a site log-in to stumble upon a competitor's embargoed releases. The firm ultimately made $8 million on insider trading by exploiting this weakness, Bellis said.