Identify weak links in your security IT systems.
WHAT IS PENETRATION TESTING?
This is a method for gaining assurance in the security of an IT system. It attempts to breach some or all that system’s security, using the same tools and techniques as an adversary might. Penetration testing should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes. It shouldn’t be a primary method for identifying vulnerabilities.
HOW DOES A PENETRATION TEST HELP?
Penetration tests uncover software, system, and network vulnerabilities. They also identify the level of technical risk to help organisations prioritise the next course of mitigation actions.
When vulnerabilities are detected, a thorough pen test should be able to determine how the breaches have taken place and how much data has been compromised before detection. Highly experienced pen testers can find subtle issues with processes that would not have otherwise been detected. This provides organisations with a comprehensive insight into vulnerabilities and management processes to avoid malicious attack.
HOW DOES PEN TESTING WORK?
- Scoping: Within the scoping process the areas of concern are outlined, the technical team will rundown the technical boundaries of the organisation’s IT estate and the PEN team will suggest what type of testing is applicable in order to identify any vulnerabilities.
- Testing: During the testing phase, a technical point of contact must be on call. This allows the PEN team to raise any critical issues found during testing and resolve them on time like network misconfiguration. Is common to find more systems or components which lie outside the existing testing scope. In this case, the PEN team might change the testing scope and alter testing time frames or costs.
- Reporting: When the testing process is over, the generated report has detected any security issues and the risk levels that each vulnerability exposes the organisation to. Moreover, includes resolving methods per issue and improvements for the internal vulnerability assessment.
- Severity Rating: According to the Common Vulnerability Scoring System, severity rating tries to give a numerical score for any vulnerabilities found. Depending on the risk level of the vulnerabilities found the PEN team will decide if further mitigating controls need to be applied.
- Follow up on the report: The PEN report is assessed by the organisation’s vulnerability team. Any new detected vulnerabilities will require special attention. This is based on their severity and the PEN testers will suggest the best solutions for your needs.
The NCSC recommends organisations use testers and companies accredited with at least one of the following accreditations. CREST, Tiger Scheme, CHECK