CREST-accredited penetration testing (pen tests) from IT Governance can give you and your management peace of mind by assuring that your websites and networks are secure against attack.
Regular vulnerability scans and penetration testing should now be a fundamental part of your monthly and quarterly security checking. These scans ensure that you can identify and fix vulnerabilities and security holes as quickly as possible, and that your cyber controls are working as effectively as they need to.
IT Governance has made purchasing penetration testing simple! While we deploy advanced and sophisticated skills to help you stave off cyber attackers, we keep our commercial relationship simple and clear.
Call us today on 0845 070 1750 to discuss your requirements and discover how regular penetration testing will improve your organisation's cyber security.
Technical security testing solutions:
Our fixed-price or bespoke penetration tests deliver cost-effective solutions that will help you meet every testing requirement and budget.
As a CREST member company you can be assured of the rigorous standards employed by our qualified and knowledgeable penetration testers.
On this page:
What is penetration testing?
Effective penetration testing involves the simulation of a malicious attack (either from malicious outsiders or your own staff) on an organisation’s information security arrangements, often using a combination of methods and tools. It has to be conducted by a certified ethical professional tester (CREST-qualified staff). The resulting findings from a pen test provide a basis upon which security measures can be improved.
Types of exploits
There is a range of potential attack vectors and methodologies that can allow your information to be exploited. These include open ports, Wi-Fi passwords, packet sniffing, phishing schemes, browser exploits and social engineering. Penetration testing aims to exploit known vulnerabilities but should also use the tester’s expertise to identify specific weaknesses (unknown vulnerabilities) in an organisation’s security arrangements.
It is rare that our pen testers come across an organisation that does not have some room for improvement. We present the vulnerabilities and risks to the organisation, along with recommendations for remediation, as hard facts in a ‘traffic light’ report which is made as easy as possible to understand.
CREST describes the key benefits of effective penetration testing as follows:
A reduction in your ICT costs over the long term
Improvements in the technical environment, reducing support calls
Greater levels of confidence in the security of your IT environments
Increased awareness of the need for appropriate technical controls
Why conduct penetration testing?
New vulnerabilities are identified and exploited by hackers every week. In many cases, you won’t even know that your defences have been successfully breached until it’s too late. There is nowhere to hide; the automated scanning used by attackers means there is no security through obscurity. Even if you are a relatively unknown organisation of little apparent interest to an attacker, the scans will find your presence online, it is not a question of if you will be attacked, but when will you be attacked.
You should conduct regular testing of your systems in order to:
determine weaknesses in the infrastructure (hardware), application (software) and people in order to develop controls;
ensure controls have been implemented and are effective, which provides assurance to information security and senior management;
test applications that are often the avenues of attack (applications are built by people, and people can make mistakes despite best practices in software development);
discover new bugs in existing software (patches and updates can fix existing vulnerabilities, but they can also introduce new vulnerabilities);
produce evidence that your security measures are adequate and working in the form of reports to managers, demonstrating that your IT spending is appropriate and cost-effective;
ensure compliance with critical standards such as the PCI DSS and ISO27001, and with the requirements of the Data Protection Act and other relevant privacy legislation/regulations;
provide assurance to customers, both in a B2C and B2B context, that their data is being protected and that your organisation is not a weak link in their information security chain.
Penetration testing and ISO 27001
Penetration testing is an essential component in any ISO 27001-compliant information security management system (ISMS), from initial development to ongoing maintenance and continual improvement.
Control A.12.6.1 of ISO27001:2013 specifies that “Information about technical vulnerabilities of information systems be obtained in a timely fashion, the organization's exposure to such vulnerabilities be evaluated and appropriate measures be taken to address the associated risk.” A vulnerability assessment or penetration test is the best method for identifying these vulnerabilities in systems, infrastructure and web applications.
There are three specific points in your ISMS project at which penetration testing can make a significant contribution:
As part of the risk assessment process: uncovering vulnerabilities in any Internet-facing IP addresses, web applications, or internal devices and applications, and linking them to identifiable threats.
As part of the risk treatment plan: ensuring that controls that are implemented actually work as designed.
As part of the continual improvement processes: ensuring that controls continue to work as required, and that new and emerging threats and vulnerabilities are identified and dealt with.
Penetration testing and the PCI DSS
Requirement 11 of the PCI DSS covers the need to regularly and frequently carry out tests to identify unaddressed security issues and scan for rogue wireless networks. The Standard states that penetration testing should be performed at least annually, and whenever there is a significant infrastructure or application upgrade or modification (for example, new system component installations, addition of a sub-network or addition of a webserver).
View IT Governance’s PCI and penetration testing page for more information on achieving compliance with the PCI DSS.
Penetration testing as a government requirement
Under the HMG Security Policy Framework, it is mandatory for all ICT systems that handle, store and process protectively marked information or business critical data to undergo a formal risk assessment to identify and understand relevant technical risks. They must also undergo a proportionate accreditation process to ensure that the risks to the confidentiality, integrity and availability of the data, system and/or service are properly managed. Penetration tests will be required in line with the mandatory technical risk assessments for all ICT systems or services. These assessments must be repeated annually or whenever there are significant changes to a risk component.
Public sector organisations must also ensure that their suppliers' security arrangements are appropriate for managing risk and responding effectively to any incidents. To comply with this requirement, they must seek assurance from their suppliers that they are managing their protective security and information risks to an appropriate level. Information assurance and business continuity requirements are specified in government contracts with third party suppliers. In addition, the management of assurance activities must be independent of the organisation providing the service. HMG considers ISO 27001 best practice in managing information security risks, and in some instances ISO 27001 certification is a requirement of doing business with HMG.
IT Governance Security Testing Services
IT Governance Ltd is a CREST member company. This means that we have been verified as meeting the rigorous standards mandated by CREST. Clients can rest assured with the knowledge that the work will be carried out to rigorous standards by qualified and knowledgeable individuals. We provide the following services under our ITG Security Testing brand.
Please see our Penetration Testing Packages for further details about our discounted, recurring penetration testing packages.
To book your penetration testing service, or to discuss your requirements, please call us now on 0845 070 1750 or email us.