Given the commoditized nature of pen testing, it is imperative for organizations to employ an accredited and globally recognized partner of choice. CREST-approved providers of pen testing have skilled ethical hackers who are trained to replicate the mind of a malicious attacker and use an exhaustive set of tools to perform and imitate this mindset. CREST approved members also offer a wide range of pen testing services covering all aspects of organizational security, such as infrastructure, web applications, social engineering and, of course, mobile. They use a risk-based approach to assess systems from an attacker's point of view, as well as against industry best practices.
The goals and outcomes of a pen test:
- Determine feasibility of a particular set of attack vectors
- Identify any vulnerabilities which are present, including any that are high-risk which result from a combination of lower-risk vulnerabilities exploited in sequence
- Identify weaknesses that may be difficult to detect with automated vulnerability scanning software
- Assess the potential impacts of a successful attack on an organization
- Justify increased investment in security personnel and technology
Pen testing forms a large element of cybersecurity efforts in organizations due to the value that the results provide. It gives the organization a stable and measurable output relating to the security posture at a specific point in time. Pen tests are an important part of a full security audit, for example, the Payment Card Industry Data Security Standard (PCI DSS) requires pen-testing on a regular basis and after any system changes.
In saying that, traditional pen testing has its limitations. Continual improvement is the key to staying on top of new threats. A pen test report only reveals the state of your vulnerabilities at a particular moment in time in an environment that is constantly changing. A regular testing program to keep up to date with new malicious vulnerabilities and compliance requirements is advised.
Objective-oriented pen testing and red teaming are other types of assessments that can further enhance the security posture of your organization.