Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

21) Does your organisation conduct regular penetration tests of its public facing IT infrastructure?

August 30, 2022
Network and Cloud Security
Penetration Test

Answer yes if your organisation conducts regular penetration tests of its public facing IT systems and infrastructure and remediates the findings. Please state in the notes how often these tests are completed. Please provide your last pentest report summary (not the detailed findings) as evidence.

What is the control?

A penetration test is similar to a vulnerability scan in detecting vulnerabilities but typically involves human interaction, a broader scope of checks, and an overall goal to breach the network or system.

Whereas vulnerability scans are limited to automated checks, typically run one at a time, a penetration test can involve improvised or adapted attempts that the tester can tailor to your environment. For example, they could go after an in-house application that no commercial vulnerability scanner would have checks for.

Testers can also create more dynamic scenarios and chain smaller vulnerabilities and misconfigurations together to gain access, even exploiting human elements in some cases.

Penetration testing your public-facing infrastructure more accurately mimics what a dedicated attacker would do once they have targeted your organisation and is a key security control.

Why should I have it?

While vulnerability scanning is good at detecting known vulnerabilities, penetration tests can often discover issues they miss. It’s therefore important to occasionally have a penetration test performed by a qualified assessor in order to have a greater level of assurance.

Clients typically ask for annual or quarterly penetration test reports when doing due diligence, in addition to more frequent vulnerability scanning.

How to implement the control

Since there is a human element to most penetration testing, it’s important to select a qualified provider (some large organisation may have internal functions as well). For similar reasons, it’s also recommended to have multiple providers and rotate the testing to see if one provider can find things another missed and vice versa.

It’s also important be be clear on scope: The more freedom testers are given, the more likely they are to discover vulnerabilities that an attacker (operating with full discretion – their own) would find and exploit.

There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.