Answer yes if your organisation conducts regular penetration tests of its public facing IT systems and infrastructure and remediates the findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.
What is the control?
A penetration test is similar to a vulnerability scan in detecting vulnerabilities but typically involves human interaction, a broader scope of checks, and an overall goal to breach the network or system.
Whereas vulnerability scans are limited to automated checks, typically run one at a time, a penetration test can involve improvised or adapted attempts that the tester can tailor to your environment. For example, they could go after an in-house application that no commercial vulnerability scanner would have checks for.
Testers can also create more dynamic scenarios and chain smaller vulnerabilities and misconfigurations together to gain access, even exploiting human elements in some cases.
Penetration testing your public-facing infrastructure more accurately mimics what a dedicated attacker would do once they have targeted your organisation and is a key security control.
Why should I have it?
While vulnerability scanning is good at detecting known vulnerabilities, penetration tests can often discover issues they miss. It’s therefore important to occasionally have a penetration test performed by a qualified assessor in order to have a greater level of assurance.
Clients typically ask for annual or quarterly penetration test reports when doing due diligence, in addition to more frequent vulnerability scanning.
Since there is a human element to most penetration testing, it’s important to select a qualified provider (some large organisation may have internal functions as well). For similar reasons, it’s also recommended to have multiple providers and rotate the testing to see if one provider can find things another missed and vice versa.
It’s also important be be clear on scope: The more freedom testers are given, the more likely they are to discover vulnerabilities that an attacker (operating with full discretion – their own) would find and exploit.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.