In this article Assured Clarity provide the answer to the question, ‘Do we need penetration testing?’
Pen testing background
Recent times have probably accelerated an organisation’s need to move the IT infrastructure to the cloud and for all the right reasons, massive on-demand compute and storage capabilities. Gartner predicts the market for public cloud services will grow at roughly 3x the rate of the overall IT services market, topping $331 billion by 2022.
However, with all the benefits of seamless integration comes additional security problems, cyberattacks are a constant threat. Not only does this raise the prospect of data breaches, along with the consequential fines, there are the service outage implications and that can damage the organisations reputation and its bottom line. Anecdotal evidence suggests that keeping hackers at bay and preventing security breaches, absorbs an average of 1 day per week.
One thing that ‘IT’ as a whole isn’t short on, is TLA’s (three letter acronyms) and it is very easy to get wrapped up in the jargon and lose sight of the objective.
Gartner eludes to ‘SOAR’ – the convergence of Security Orchestration and Automation (SOA) with Security Incidence Response (SIR) and Threat Intelligence Platform (TIP) but however, you choose to approach it, the Security Operations Centre (SoC) plays an ever increasing role; measuring end-user devices, servers, network equipment, firewalls and more to ensure IT resilience and reduced risk.
The role of the SoC
So, the SoC is designed to monitor threats but it won’t identify vulnerabilities in the network, the devices and the hosts and systems connected to them. This is where the Pen Test (Penetration Test) identifies vulnerabilities and misconfigurations. A manual review of web application code coupled with testing tools essential to locate vulnerabilities, such as, logic flaws, authorisation issues and encryption misconfigurations.
The role of the pen test
The penetration test is all about assessing a business’ exposure to risk.
Would you fly on a plane that hadn’t been regularly serviced and maintained?
In a different context, think from a burglar’s perspective:, it’s often opportune, they scan the house looking for vulnerabilities and visual signs that nobody is home and they can get in; windows open, door ajar, post in the letter box, even the car left unlocked on the drive!
Why do we need pen testing?
If you really want to make sure you’re secure, then a penetration test is the right step for your organisation. That old saying, you don’t know, what you don’t know and, in this instance, when you do know, it will be too late, as you could be well and truly exposed…
At a minimum, a penetration test should be yearly, but if your organisation has the responsibility to maintain and comply with a number of regulatory frameworks; PCI-DSS, ISO 27001, ISO 22301, BSI 10008, SOC2 etc, you may find that a yearly test isn’t sufficient.
Once you have been tested, the report will enable the business to decide on the remediation steps required and what you need to do to ensure the security infrastructure remains robust.