Penetration Testing
There are many different types of penetration tests, and they all test the security of different infrastructures. it’s important to understand the differences when looking to obtain a penetration test:
- Website Penetration Testing – Performed against basic websites that do not have a login portal.
- Web Application Penetration Testing – Web Applications have a login portal and back-end databases storing information for different user accounts. Consequently, this increased complexity has a greater attack surface and is a more intricate Penetration Testing process.
- Internal Penetration Testing – Performed from within the business’s network against the internal network infrastructure. The purpose of this is to detect any risks that can be exploited by a disgruntled employee, or an attacker that has compromised physical security.
Post Penetration Testing
You have a heavy report documenting your companies risks and recommendations. The first and most obvious thing is to develop a remediation plan based from the risks in the report. These must be addressed in order of priority (High Risk to Low Risk).
Now, what must be implemented (if not done so already) is to have the two below Security Processes:
1) Ongoing Penetration Testing – New vulnerabilities are discovered every week. Software that was once fully up-to-date can be fish in a barrel for an attacker tomorrow. The minimum time-frame to conduct penetration testing on a business is once every 12 months. Furthermore, (if you would like to adhere to ISO 27001 Information Security Standard), Security Testing should be carried out for all new and updated infrastructure systems.
2) Security Operations Centre – A SOC team’s goal is to detect, analyse and respond to live cybersecurity incidents using a combination of technology solutions and strong processes. A SOC is a difference between a Proactive Business vs a Reactive Business, they can catch things early.
A reactive business doesn’t have a SOC. Rather, they respond to events after they have happened – after an attacker has encrypted every single file and demands some Bitcoin, or after customer information has leaked onto the internet. Now, there is irreversible reputational damage.
Understanding the types of penetration testing which can be performed will help is necessary for better understanding a business’s security posture.
Continuous Penetration Testing will ensure new risks from released vulnerabilities are mitigated. While an external SOC provides more affordable financial costs, immediate access to Security Maturity, and potentially reduced legal and regulatory risk.
At CTRL Group, this philosophy is taken further by BlueNode – our Risk Operations Centre.
