With cyber attacks becoming the norm, it is more important than ever before to undertake regular vulnerability scans and penetration testing to identify vulnerabilities and ensure on a regular basis that the cyber controls are working.
When appointing an external provider of penetration services, it is important that you choose a supplier who can most effectively meet your requirements. IT Governance is a CREST member, which means that we are trusted, specialist organisation employing qualified professionals (CREST qualified staff), who can conduct penetration tests for you.
What is on this page:
What is penetration testing?
Effective penetration testing involves the simulation of a malicious attack (either from malicious outsiders or your own staff) on an organisation’s information security arrangements, often using a combination of methods and tools. It has to be conducted by a certificated, ethical professional tester (CREST qualified staff). The resulting findings from a pen test provide a basis upon which security measures can be improved.
There is a range of potential attack vectors and methodologies that need to be exploited. These include open ports, Wi-Fi passwords, packet sniffing, phishing schemes, browser exploits and social engineering. Penetration testing looks to exploit known vulnerabilities but should also use the expertise of the tester to identify specific weaknesses (unknown vulnerabilities) in an organisation’s security arrangements.
It is rare that our pen testers come across an organisation that does not have some room for improvement. We present the vulnerabilities and risks to the organisation, and recommendations for remediation, as hard facts in a ‘traffic light’ report which is made as easy as possible to understand.
CREST describes the key benefits of effective penetration testing as follows:
a reduction in your ICT costs over the long term;
improvements in the technical environment, reducing support calls;
greater levels of confidence in the security of your IT environments; and
increased awareness of the need for appropriate technical controls.
Why conduct penetration testing?
New vulnerabilities are identified and exploited by hackers every week. In many cases, you won’t even know that your defences have been successfully breached until it’s too late. There is nowhere to hide; the automated scanning used by attackers means there is no security through obscurity. Even if you are a relative unknown organisation of little apparent interest to an attacker, the scans will find your presence online, it is not a question of if you will be attacked, but when will you be attacked.
You should conduct regular testing of your systems in order to:
determine the weakness in the infrastructure (hardware), application (software) and people in order to develop controls;
ensure controls have been implemented and are effective, which provides assurance to information security and senior management;
test applications that are often the avenues of attack (applications are built by people, and people can make mistakes despite best practices in software development);
discover new bugs in existing software (patches and updates can fix existing vulnerabilities, but they can also introduce new vulnerabilities);
produce evidence in the form of reports to managers that your security measures are adequate and working, demonstrating that your IT spend is appropriate and cost-effective;
ensure compliance with critical standards such as PCI DSS and ISO27001, the requirements of the Data Protection Act and other relevant privacy legislation/regulations;
provide assurance to customers, both in a B2C and B2B context, that their data is being protected and that your organisation is not a weak link in their information security chain.
Penetration testing as a government requirement
Information is a key asset to Government and its correct handling is vital to the safe and effective delivery of public services. Public Sector Departments and Agencies need to be confident that their information assets are safely and securely stored, processed, transmitted and destroyed, and expect the same from their delivery partners and suppliers.
According to HMG Security Policy Framework, it is mandatory that all ICT systems that handle, store and process protectively marked information or business critical data must undergo a formal risk assessment to identify and understand relevant technical risks; and must undergo a proportionate accreditation process to ensure that the risks to the confidentiality, integrity and availability of the data, system and/or service are properly managed. Penetration Tests will be required in line with the mandatory technical risk assessments for all ICT systems or services. These assessments must be repeated annually or whenever there are significant changes to a risk component.
Public sector organisations must also ensure that the security arrangements among their suppliers are appropriate in managing risk and responding effectively to any incidents. To comply with this requirement, they must seek assurance from their suppliers that they are managing their protective security and information risks to an appropriate level. Information assurance and business continuity requirements are specified in government contracts with third party suppliers. In addition, the management of assurance activities must be independent of the organisation providing the service. HMG considers ISO27001 best practice in managing information security risks and in some instances ISO27001 certification is a requirement of doing business with HMG.
Control Objective A12.6 in ISO27001:2013 on Technical Vulnerability Management specifies that information about technical vulnerabilities of information systems be obtained in a timely fashion, the organisation's exposure to such vulnerabilities be evaluated and appropriate measures be taken to address the associated risk. A vulnerability assessment or penetration test is the best method for identifying these vulnerabilities in systems, infrastructure and web applications.
Penetration testing and ISO27001
Penetration testing is an essential component in any ISO27001-compliant Information Security Management System (ISMS), from initial development to ongoing maintenance and continual improvement.
There are three specific points in your ISMS project at which penetration testing has a significant contribution to make:
As part of the risk assessment process: uncovering vulnerabilities in any internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.
As part of the risk treatment plan, ensuring that controls which are implemented actually work as designed.
As part of the ongoing corrective action/preventive action (CAPA) and continual improvement processes, ensuring that controls continue to work as required and that new and emerging threats and vulnerabilities are identified and dealt with.
IT Governance Security Testing Services
IT Governance Ltd is a CREST member company. This means that we have been verified as meeting the rigorous standards mandated by CREST. Clients can rest assured in the knowledge that the work will be carried out to rigorous standards by qualified and knowledgeable individuals. We provide the following services as ITG Security Testing, part of the IT Governance family.
IT Health Checks: we will identify technical security vulnerabilities in applications, networks, websites and IT infrastructure.
Penetration Tests: Fixed Price or ‘Scoped’ Consultant-Driven Penetration Tests
The below offerings are based on a “fixed scope and fixed price” basis. However, our penetration test service offering also includes a customised penetration test based on individual requirements of which the test scope will be prepared in consultation with our clients. A “Level 1” penetration test is a consultant-driven test designed to identify potential vulnerabilities in your systems, networks and applications, whereas a “Level 2” penetration test is a much more extensive test which simulates a cyber attack, designed to gain physical access to your system.
You can see the difference between the different levels of tests with our comparative table.
Other Security Testing Services:
Annual / Quarterly Scanning Contracts: we can provide attractive prices for regular scanning contracts and thereby help you ensure that your defences remain adequate against identified and evolving risks and that your corrective and preventive actions are closely linked to emerging threats and vulnerabilities.
Consultancy and Remediation Services.
Please see our Penetration Testing Packages for further details on the above services.
To book your Penetration Testing service, or to discuss your requirements, please call us now on 0845 070 1750 or email us.