CREST-accredited penetration testing (pen tests) from IT Governance can give you and your management team peace of mind by assuring that your websites and networks are secure against attacks.
Regular vulnerability scanning and penetration testing should be a fundamental part of your monthly and quarterly security review process. These tests ensure that you identify and fix vulnerabilities and security holes as quickly as possible, and establish whether your cyber controls are working as effectively as they need to.
Read more about why to conduct penetration tests.
Call us today on 0845 070 1750 to discuss your requirements and discover how regular penetration testing will improve your organisation's cyber security.
Fixed-price penetration tests
IT Governance has made purchasing penetration testing simple. While we deploy advanced and sophisticated skills to help you stave off cyber attackers, we keep our commercial relationship simple and clear. Our fixed-price or bespoke penetration tests deliver cost-effective solutions that will help you meet every testing requirement and budget.
On this page:
What is penetration testing?
Effective penetration testing involves the simulation of a malicious attack on an organisation’s information security arrangements (either from malicious outsiders or its own staff), often using a combination of methods and tools. A penetration test has to be conducted by a certified (e.g. CREST-qualified) ethical professional tester. The findings from a penetration test provide a basis upon which security measures can be improved.
Types of exploits
A range of potential attack vectors and methodologies can allow your information to be exploited. These include open ports, Wi-Fi passwords, packet sniffing, phishing schemes, browser exploits and social engineering. Penetration testing aims to exploit known vulnerabilities but should also use the tester’s expertise to identify specific weaknesses (unknown vulnerabilities) in an organisation’s security arrangements.
It is rare that our pen testers come across an organisation that does not have some room for improvement. We present the vulnerabilities and risks to the organisation, along with recommendations for remediation, as hard facts in a ‘traffic light’ report that is made as easy as possible to understand.
Why conduct penetration testing?
New vulnerabilities are identified and exploited by hackers every week. In many cases, you won’t even know that your defences have been successfully breached until it’s too late. Even if you are a relatively unknown organisation of little apparent interest to an attacker, the criminals’ automated scans will find your presence online. It is not a question of if you will be attacked, but when will you be attacked.
You should conduct regular testing of your systems to:
determine weaknesses in the infrastructure (hardware), application (software) and people so that you can develop appropriate controls;
ensure controls have been implemented and are effective, which will provide assurance about information security to senior management;
test the security of your applications, which are often avenues of attack for cyber criminals (applications are built by people, and people can make mistakes despite best practices in software development);
discover new bugs in existing software (patches and updates can fix existing vulnerabilities, but they can also introduce new vulnerabilities);
produce evidence, in the form of reports to managers, that your security measures are adequate and working, demonstrating that your IT spending is appropriate and cost-effective;
ensure compliance with critical standards such as the PCI DSS and ISO 27001, and with the requirements of the Data Protection Act and other relevant privacy legislation/regulations;
provide assurance to customers, both in a B2C and B2B context, that their data is being protected and that your organisation is not a weak link in their information security chain.
Read more about the benefits of penetration testing >>
Penetration testing and ISO 27001
Penetration testing is an essential component of any ISO 27001-compliant information security management system (ISMS), from initial development to ongoing maintenance and continual improvement.
Control A.12.6.1 of ISO 27001:2013 specifies that “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures be taken to address the associated risk.” A vulnerability assessment or penetration test is the best method for identifying these vulnerabilities in systems, infrastructure and web applications.
There are three specific points in your ISMS project at which penetration testing can make a significant contribution:
As part of the risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.
As part of the risk treatment plan: ensuring that controls actually work as designed.
As part of the continual improvement processes: ensuring that controls continue to work as required, and that new and emerging threats and vulnerabilities are identified and dealt with.
Penetration testing and the PCI DSS
Requirement 11 of the PCI DSS covers the need to regularly and frequently carry out tests to identify unaddressed security issues and scan for rogue wireless networks. The Standard states that penetration testing should be performed at least annually, as well as whenever there is a significant infrastructure or application upgrade or modification (for example, new system component installations, or the addition of a sub-network or web server).
View IT Governance’s PCI and penetration testing page for more information on achieving compliance with the PCI DSS.
Penetration testing as a government requirement
Under the HMG Security Policy Framework, it is mandatory for all ICT systems that handle, store and process protectively marked information or business critical data to undergo a formal risk assessment to identify and understand relevant technical risks. They must also undergo a proportionate accreditation process to ensure that the risks to the confidentiality, integrity and availability of the data, system and/or service are properly managed. Penetration tests will be required in line with the mandatory technical risk assessments for all ICT systems or services. These assessments must be repeated annually or whenever there are significant changes to a risk component.
Public sector organisations must also ensure that their suppliers'security arrangements are appropriate for managing risk and responding effectively to any incidents. To comply with this requirement, they must seek assurance from their suppliers that they are managing their protective security and information risks to an appropriate level. In addition, the management of assurance activities must be independent of the organisation providing the service. The UK Government considers ISO 27001 to be best practice in managing information security risks, and in some instances ISO 27001 certification is a requirement of doing business with the government.
Why use IT Governance?
IT Governance Ltd is a CREST member company. This means that we have been verified as meeting the rigorous standards mandated by CREST. Clients can rest assured that IT Governance pen tests will be carried out to the highest standards by qualified and knowledgeable individuals.
Please see our Penetration Testing Packages for further details about our discounted, recurring penetration testing packages.
To book your penetration testing service, or to discuss your requirements, please call us now on 0845 070 1750 or email us.