Cybersecurity has become a primary issue for practically every company these days. Organizations unacquainted with cyber-attacks and the harm it can cause fall prey to these attacks consistently. Accordingly, the most appropriate way for an organization to secure itself is to focus on proactive and comprehensive security testing techniques. The most effective testing approach to measure current security practices is known as penetration testing, also called “Pen-testing”.
What is Pentesting?
This method of assessing cybersecurity involves the use of various manual and automated techniques to simulate an attack on an organization’s IT systems. It should be conducted by a qualified and independent expert, sometimes referred to as an “ethical security tester”. The goal of pen-testing is to try and exploit known vulnerabilities as well as leverage the expertise of the tester to identify other weaknesses and unknown vulnerabilities in an organization’s security arrangements. This method of testing involves an active analysis of the target system for any potential vulnerabilities that could result from poor or improper system configuration, known and unknown hardware or software flaws as well as operational weaknesses in system processes. This analysis is typically carried out from the position of a potential attacker and can involve active exploitation of security vulnerabilities.
A Penetration Test is typically an assessment of IT infrastructure, networks, and business applications to identify attack vectors, vulnerabilities, and control weaknesses. The two most common forms of penetration testing are:
- Application penetration testing (typically web applications), which finds technical vulnerabilities;
- Infrastructure penetration testing, which examines servers, firewalls, and other hardware for security vulnerabilities.
- Only covers the target application, infrastructure, or environment that has been selected.
- Focuses on exposures in technical infrastructure, it is not intended to cover all the ways in which critical or sensitive information can leak from an organization.
- Plays only a small part (despite often including social engineering tests) in reviewing the role of the individual (often the most important element of an organization’s defense system).
- Is only a snapshot of a system at a point in time.
- Can be limited by legal or commercial considerations, limiting the breadth or depth of a test.
- May not uncover all security weaknesses, for example, due to a restricted scope or inadequate testing.
- It provides results that are often technical in nature and need to be interpreted in a business context.
Your penetration testing program should align within:
- A wider security review framework (eg. ISO 27001, NIST cybersecurity framework, ISF Standard of Good Practice);
- Technical security infrastructure (including on-going security monitoring, vulnerability assessment, malware protection, and patch management);
- System development processes (particularly for Web applications).
Your penetration testing program should be:
- Approved by appropriate business and IT management.
- Supported by stated objectives and timelines.
- Integrated into your underlying technical security assurance framework.
- Reviewed regularly and kept up to date.
The scope of your penetration testing program should:
- Cover all main systems, enterprise-wide;
- Focus on critical systems;
- Allow for the protection of any sensitive information.
Your penetration testing program should include:
- A set of penetration testing processes and methodologies that apply enterprise-wide;
- Supplier selection criteria;
- A penetration testing assurance management framework;
- Follow up activities to ensure that remediation activities are carried out in an effective manner, reducing the risk of vulnerabilities being exploited in the future.
A vulnerability assessment (sometimes referred to as ‘scanning’) is the use of automated tools to identify known common vulnerabilities in a system’s configuration. Vulnerability assessment tools scan the information system environment to establish whether security settings have been switched on and consistently applied – and that appropriate security patches have been deployed where required. Vulnerability assessments typically seek to validate the minimum level of security that should be applied and is often the precursor to more specialized penetration testing. It does not exploit the vulnerabilities identified to replicate a real attack, nor does it consider the overall security management processes and procedures that support the system. A penetration test is an ethical attack simulation that is intended to demonstrate or validate the effectiveness of security controls in a particular environment by highlighting risks posed by actual exploitable vulnerabilities. It is built around a manual testing process that is intended to go much further than the generic responses, false-positive findings, and lack of depth provided by automated application assessment tools (such as those used in a vulnerability assessment).
To get a certificate on CER.live, an exchange must prove that pentest complies with all necessary requirements. The final report must demonstrate that the company performed real penetration testing – this will prove the security of users’ funds and personal data. The list of requirements are:
- Pentest must be performed on the actual version of the infrastructure. If the infrastructure has a major update it must be retested.
- Testing must be performed on all components of the infrastructure.
- Testing must be performed on production, not staging, or developers’ versions.
- Penetration testing reports must include information about performed testing actions and must include all findings.
- The company must demonstrate that all findings were fixed.
- The company which performs penetration testing must not be affiliated with the exchange and must not have any vested interests in successful compliance.