Process for Implementing Different Types of Penetration Testing
Penetration testing can be a daunting undertaking for organizations, but it is generally required for achieving and maintaining regulatory compliance with identified, applicable controls.
Penetration testing methods are a common regulatory requirement and industry best practice for a reason.
Without regular, independent penetration testing methods being performed, organizations cannot truly know or understand how susceptible their networks, systems, or applications are to internal or external intrusions, or cyber-attacks. This testing, and why it is so vital, is the focus of pitfall #55 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
A documented process should be implemented for different types of penetration testing that includes how a full scope of testing, including blended attacks, will be performed for your organization. This process should include testing for network infrastructure, wireless access point, information system-based, and web application attacks. Regular external and internal penetration tests should be conducted to identify vulnerabilities and attack vectors that could be used to successfully exploit your information systems.
External and internal penetration testing should be performed at least annually. Testing should also take place after any significant infrastructure upgrades or modifications. Focused testing should be considered after any significant application upgrades or modifications. Examples may include an operating system upgrade, a sub-network being added to the network, or a web server being added to the environment. Exploitable vulnerabilities found during penetration testing need to be corrected. Once remediation is complete, testing should be repeated to verify remediation.
There will likely be findings on your penetration testing report. Any finding identified during testing should be remediated as soon as practical, based on the criticality of the finding. Following the same remediation schedule that is used for technical vulnerability management may be the best place to start when defining remediation timelines for penetration test findings.
Your organization should avoid having the same findings show up on consecutive penetration testing tools and reports. Allowing the same finding to persist year after year will likely draw increased scrutiny from examiners or auditors as they assess the internal controls in place for your organization. More importantly, having a known vulnerability within the environment for a long period of time increases your susceptibility to intrusions, security incidents, and data breaches.
To learn more about this pitfall, and 99 more, get my book: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here). Or register for a demo of the ASCENT Security and Compliance Portal and get a free synopsis of the 100 Security Program Pitfalls eBook today.