Penetration testing – what business owners and IT managers need to know

Cyber attacks, advanced persistent threats (APTs), zero-day vulnerabilities and other threats that have been made possible by the Internet and broadening connectivity put any organisation’s information at risk. Should any of these threats come to pass, the repercussions can be significant: from business disruption and reputational damage to going out of business – all scenarios are possible.

While cyber threats cannot be stopped (quite the opposite; they’ll continue to evolve), organisations can considerably reduce the likelihood of being breached by conducting penetration tests.

Geraint WilliamsWe spoke to Geraint Williams, head of technical services at IT Governance, to find out why penetration testing is so important to any company. Geraint is a PCI QSA and holds certifications in security and digital forensics including CISSP, CREST Registered Tester, CEH and CHFI.

What is penetration testing?

Penetration testing consists of testing an organisation’s current security posture using the same methods and techniques that actual attackers use in the wild. These tests are often scenario-based and they attempt to assess the impact of various threats. These threats range from the pestering script kiddie who follows YouTube tutorials on how to hack, all the way to advanced persistent threat (APT) groups that are not only well funded and highly skilled, but also have a very specific target.

Why is penetration testing necessary?

Penetration testing is conducted for a number of reasons. It can be done as assurance that your security controls are working or to determine your attack surface area (your exposure to hackers).

It may be necessary as part of certification or accreditation to a standard, a requirement in order to do business with clients, or a requirement of cyber insurance.

Without knowing the state of your security, how can you develop and improve? Knowledge of your attack surface area can help you develop and implement a security programme.

The necessity of penetration testing is no different from any other kind of testing. The fact that an organisation has not yet been breached, for instance, does not necessarily mean that it won’t be at some point in the future. There’s also the possibility that it has already been breached without anyone even noticing.

What’s the best way to determine how often penetration testing is necessary?

There are a multitude of factors to consider when deciding how often a penetration test should be performed. In order to answer this question accurately, an organisation needs to conduct an internal risk assessment and threat analysis to determine its risk appetite.

The testing programme should reflect the organisation’s requirements and be cost-effective. As part of the testing programme, organisations should consider performing vulnerability assessments reasonably frequently and conduct full-scale penetration testing on an annual basis.

IT Governance strongly recommends that penetration tests are conducted at least quarterly. ISO 27001, the information security standard, recommends that penetration tests and/or vulnerability assessments are conducted at various stages of the implementation cycle. It is also recommended that testing is performed after changes to your infrastructure or public-facing web applications.

What needs to be tested?

From the risk assessments, threat analyses and vulnerability management activities, an organisation should identify the systems at risk and have these tested. Because any external system will be scanned by scripting kiddies who will probe any weaknesses they find, it is far better to have a friendly tester rather than a malicious hacker find the weakness.

A common attack vector is trying to get your employees to open malicious attachments or visit malware-infected websites. Malicious software then tries to find a way back out of the network, so it is important to test your defences against the exfiltration of data as well infiltration attempts from outside. Any risk analysis should also consider the malicious insider, which is still a very common threat actor. Internal testing can ensure your assets are protected from those who do not have a business need to access them.

Generally, Internet-facing services are the most common target for attack. In order to accurately answer this question, an organisation needs to conduct an internal risk assessment and threat analysis.

Are there certain organisations or industries that should or should not do it more often?

There is probably no business that is not at risk from attack by automated scanning tools, which are operated by anyone from script kiddies to organised criminals and activists. Motivation is often financial – all data can be monetised by criminals – but other motivating factors may be in play. Activists try to score political points, for instance, while script kiddies are looking for kudos or recognition for their activities. Organisations dealing with financial and personally identifiable information are especially at risk, along with those that are reliant on the Internet for profit, such as gambling sites

The motivation for the majority of attacks is financial gain. Information such as bank details, personal records and so on are highly sought after due to their market value.

Which frameworks or standards require proof that penetration tests have been conducted?

Penetration testing is a major requirement for compliance with standards such as ISO 27001 and the PCI DSS. The UK Cyber Essentials scheme is a baseline certification that requires a different level of testing known as internal and external vulnerability scanning. The banking industry uses a higher level of accreditation such as CBEST to demonstrate security profiles.

How should you select your penetration testing provider?

Given that you will be entrusting your testing provider with access to your systems, it is important only to use providers that are accredited by a recognised certification body. In the UK, that would be CREST. A penetration testing provider should be able to provide a detailed technical report on the nature of the vulnerabilities found on the system and an executive summary.

4452IT Governance provides fixed-price CREST-accredited testing services that can be deployed by any organisation looking for better protection.

Book our Combined Infrastructure and Web Application Penetration Test – Level 1 today.


  1. Howard Smith 12th February 2015
  2. Robert Gilson 13th February 2015