Penetration testing or ‘pen testing’ is the most effective way of demonstrating that exploitable vulnerabilities within your company’s internet-facing resources have been identified, allowing suitable patches to be applied.
The aim is to identify browser exploits, unpatched software, unsecure coding practices and weak encryption algorithms. A penetration test must be conducted by a certified ethical penetration tester, who will use their expertise to identify specific weaknesses within an organisation’s security arrangements. This involves simulating a malicious attack on an organisation’s information security arrangements, often using a combination of methods and tools.
Threats are constantly evolving and changing.
It’s not a question of if you will be attacked, but when.
Even if you are a relatively unknown organisation of little apparent interest to an attacker, criminals’ automated scans will find your presence online.
More and more applications are directing traffic by default through http to bypass firewall rules.
Malware can be downloaded automatically.
Websites can be infected by code injection, cross-site scripting and other similar black-hat hacking techniques.
Your website traffic can be hijacked.
Blacklisting by major search engines can cause you to lose business.
It is easy for new vulnerabilities to be identified and exploited by criminal hackers. In many cases, you won’t even know that your defences have been successfully breached until it’s too late.
Which test best suits my organisation?
Here at IT Governance, we present the vulnerabilities and risks to the organisation once the test has been conducted, along with recommendations for remedial action, which are displayed as facts in an easily understandable report.
Our bespoke penetration tests deliver cost-effective and practical solutions that will help you meet your legal, regulatory and contractual requirements:
Is your business secure? Are you sure?
IT Governance Ltd is a CREST member company. This means that we have been verified as meeting the rigorous standards mandated by CREST. Clients can rest assured that IT Governance penetration tests will be carried out to the highest standards by qualified and knowledgeable individuals.
Strengthen your knowledge of penetration testing using the helpful resources below:
FREE DOWNLOADABLE GUIDES AVAILABLE
20 compelling reasons that frequent penetration tests and vulnerability assessments are crucial. Practical tips for getting the most out of your penetration test.
Our guides will help you build a board-level business case for penetration testing and then ensure you maximise the benefit of your penetration tests.
BUY THE BOOK:
Introduces the concepts and techniques used in penetration testing, giving readers an understanding of the principles of ethical hacking.
Covers the topics required for the Certified Penetration Testing Engineer (CPTE) examination, making it a handy study guide for anyone preparing to take the exam.
Remain ahead of the game:
Keep up to date with the latest news on information security (infosec), stay informed on risk management and compliance, and maintain a firm knowledge on IT Governance: use our newsletter page to choose what’s important to you.
Continue reading for further information on penetration testing as a government requirement, how it applies to the PCI DSS and ISO 27001, and solutions for PCI DSS, ISO 27001 and Cyber Essentials penetration testing.
Penetration testing as a government requirement
Under the government’s Security Policy Framework, all ICT systems that handle, store and process protectively marked information or business critical data must undergo a formal risk assessment to identify and understand relevant technical risks. They must also undergo a proportionate accreditation process to ensure that the risks to the confidentiality, integrity and availability of the data, system and/or service are properly managed. Penetration tests will be required in line with the mandatory technical risk assessments for all ICT systems or services. These assessments must be repeated annually or whenever there are significant changes to a risk component.
Public-sector organisations must also ensure that their suppliers' security arrangements are appropriate for managing risks and responding effectively to any incidents. To comply with this requirement, public sector organisations must seek assurance from their suppliers that protective security and information risks are being managed to an appropriate level. In addition, the management of assurance activities must be independent of the organisation providing the service. The UK Government considers ISO 27001 to be best practice in managing information security risks, and in some instances ISO 27001 certification is a requirement of doing business with the government.
Penetration testing and ISO 27001
Penetration testing is an essential component of any ISO 27001-compliant information security management system (ISMS), from initial development to ongoing maintenance and continual improvement.
Control A.12.6.1 of ISO 27001:2013 specifies that “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.” A vulnerability assessment or penetration test is the best method for identifying these vulnerabilities in systems, infrastructure and web applications.
There are three specific points in your ISMS project at which penetration testing can make a significant contribution:
As part of the risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.
As part of the risk treatment plan: ensuring that controls actually work as designed.
As part of the continual improvement process: ensuring that controls continue to work as required, and that new and emerging threats and vulnerabilities are identified and dealt with.
Penetration testing and the PCI DSS
Requirement 11 of the PCI DSS covers the need to regularly and frequently carry out tests to identify unaddressed security issues and scan for rogue wireless networks. The Standard states that penetration testing should be performed at least annually, as well as whenever there is a significant infrastructure or application upgrade or modification (for example, new system component installations, or the addition of a sub-network or web server).
Click for options for and information about penetration tests for: