Understanding penetration testing

The importance of conducting penetration tests is clear and a successful programme can have a major positive impact on an organization’s defensive posture.

The approach that an organization takes can greatly affect its overall success and many areas need to be considered. We’ve spoken to our experts to get some nuggets of advice for organizations on how to successfully address penetration testing. 

Approaching a Pen Test

  • Establish your goals

It’s important to involve all key stakeholders within your organization in setting the objectives to be achieved through testing. Internal stakeholders responsible for managing the business will help you define the criticality level of different data sets and where best to focus scarce resources to protect what’s vital.

It’s also important to confirm objectives upfront and map out a testing programme. If you allow an external event to prompt your organization to “panic-test” you will successfully defend against this particular vulnerability, but you may well miss the chance to uncover countless others. 

For example, your goal might be to meet challenging compliance requirements for the year ahead, or it could be to gain a comprehensive understanding of your network defences. Whatever your goal, it’s imperative that what you’re looking to achieve is clearly defined in advance and built into a comprehensive programme.

  • Scope the Test

This is a vital step to achieving a satisfactory outcome and allows your testing service provider to focus resources on the right areas. 

What exactly is to be included in the test and how is it to be conducted? Are you looking to examine the defensive capabilities of your public-facing website? Or are you more concerned with your internal systems like your firewalls and hardware defences? 

When defining the scope of your test you need to take constraints into consideration. What are your financial and time limitations? Have you defined the areas of the business that can and cannot be assessed? 

Establishing these issues is essential before agreeing the scope with your testing company.

  • Plan the Testing

Pen test scope

Good planning cannot be underestimated so scheduling for these events is imperative for asuccessful programme. It’s important that you plan ahead and implement a change freeze on your system and alert your IT team that a higher load may be placed on your target assets during testing. 

Again, it’s important to involve all internal stakeholders in the planning process to ensure the impact on business operations is minimized.

  • Apply an improvement programme

Once the vulnerability has been rectified, it’s important that the process doesn’t stop there. Continual improvement is the key to staying on top of new threats. Remember, a pen test report reveals the state of your vulnerabilities at the present moment in an ever-changing environment. 

Our experts recommend a regular testing programme to keep up to date with new malicious vulnerabilities and compliance requirements. 

  • Use an accredited partner company

You need to know that your chosen partner for this venture is one that has a solid and secure reputation with highly competent testers providing quality, value-for-money services. 

Choosing a company who is a member of CREST is a huge step in the right direction to ensuring the company you have chosen is of such quality. 

“CREST provides organizations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up to date knowledge, skill and competence of the latest vulnerabilities and techniques used by real attackers... They will also know that the penetration testers are supported by a company with appropriate policies processes and procedures for conducting this type of work and for the protection of client information”CREST website

BSI Cybersecurity and Information Resilience is part of an elite group of seven organizations with global CREST membership.