CS Mar-Apr 2024

More documents

Recommendations

Info

penetration testing PUT TO THE TEST WITH PENETRATION TESTING USED TO IDENTIFY THE LEVEL OF TECHNICAL RISK EMANATING FROM SOFTWARE AND HARDWARE VULNERABILITIES, MIGHT THIS BE SOMETHING THAT EVERY ORGANISATION SHOULD BE IMPLEMENTING? Typically, penetration tests are widely employed to identify the level of technical risk emanating from software and hardware vulnerabilities. Exactly what techniques are used, what targets are allowed, how much knowledge of the system is given to the testers beforehand and how much knowledge of the test is given to system administrators can vary within the same test regime. However, according to the National Cyber Security Council (NCSC), such testing can deliver a multitude of patbacks. "A well-scoped penetration test can give confidence that the products and security controls tested have been configured in accordance with good practice, points out the council, "and that there are no common or publicly known vulnerabilities in the tested components, at the time of the test." PRIOR KNOWLEDGE In an ideal world, you should know what the penetration testers are going to find, before they find it, adds the NCSC. "Armed with a good understanding of the vulnerabilities present in your system, you can use third-party tests to verify your own expectations. "Highly experienced penetration testers may find subtle issues, which your internal processes have not picked up, but this should be the exception, not the rule. The aim should always be to use the findings of a penetration test report to improve your organisation's internal vulnerability assessment and management processes." WHAT SHOULD A TESTING REGIME LOOK LIKE? "It's critically important to note that a planned penetration test doesn't mean your normal testing regime should cease to include security tests on the target system," cautions the NCSC. "Functional testing of security controls should still occur. Assessing whether defined security controls are functioning is not a valuable use of penetration testing resources." A functional testing plan should always include positive tests (such as 'The logon box comes up every time that you attempt to log in and you aren't just allowed in'). "Negative testing may be included in your functional testing plan where the skills to perform it are available within your organisation (for example, verifying that 'You can't log in without the correct password')." A typical penetration test, according to the NCSC, will follow this pattern: Initial engagement, scoping, testing, reporting and follow-up. There should be a severity rating for any issues found. For this model, it is assumed that: You wish to know what the impact of an attacker exploiting a vulnerability would be and how likely it is to occur You have an internal vulnerability assessment and management process. "You should ensure the external team has the relevant qualifications and skills to perform testing on your IT estate. If you have any unusual systems (main-frames, uncommon networking protocols, bespoke hardware etc), these should be highlighted in the bid process, so the external teams know what skill sets will be required." 30 computing security March/April 2024 @CSMagAndAwards www.computingsecurity.co.uk
penetration testing I.T. SYSTEMS RELIANCE Today, virtually all organisations have come to rely on their IT systems to carry out dayto-day business operations and support customers, points out Martin Walsham, director of cyber security, AMR CyberSecurity, so they are also dependent upon the confidentially, integrity and availability of their systems to protect their brand reputation, avoid business disruption, and protect customer information and trade secrets. "Equally, all organisations are at risk of cyberattack," he points out, "including hacktivists, disgruntled employees, hostile foreign intelligence and cyber criminals seeking financial gain, for example." So, how does an organisation check that its security posture is up to scratch? "Penetration testing is a good start," he confirms. "A penetration test is a systematic security test of a hardware or software component or IT system that tests the current security posture and identifies security vulnerabilities. Penetration testing is becoming widely recognised as an effective security tool and something many organisations now regularly carry out." When a penetration test should be carried out, the type of testing carried out and the frequency of testing is influenced by several factors, such as the organisation's size, maturity and the industry in which they operate. "We are seeing increased uptake in penetration testing, especially in more regulated sectors, such as finance and healthcare - and areas where there is a higher need for greater security, such as those concerned with critical national infrastructure," adds Walsham. CONTRACTUAL OBLIGATIONS "Nowadays, many large organisations and government departments have specific contractual requirements for security penetration testing as part of their supply chain assurance. The UK healthcare industry requires supplier organisations to carry out penetration testing to meet the DTAC standard." The Digital Technology Assessment Criteria (DTAC) for health and social care gives staff, patients and citizens confidence that the digital health tools they use meet its clinical safety, data protection, technical security, interoperability and usability and accessibility standards. The DTAC brings together legislation and good practice in these areas and serves as the national baseline criteria for digital health technologies entering and already used in the NHS and social care. Another example that Walsham offers is the payment card industry, which requires organisations that take payment card transactions to comply with the PCI DSS, (Data Security Standard), which has a specific requirement for security penetration testing. BENEFITS OF REGULAR TESTING There are a wide range of benefits to be enjoyed by organisations that carry out regular penetration tests, he says. "Fundamentally, a penetration test reveals gaps in organisational security posture, which can then be improved. By testing whether a security architecture is operating as expected, free from known vulnerabilities and security configuration errors, an organisation will improve its security posture, reduce risk and as a result likely reduce the number and severity of IT security incidents. "By building security testing into the development lifecycle, organisations can identify and address security issues early on - leading to fewer project delays and requirements for rework, while reducing product vulnerabilities." BETTER PAYOFF Moreover, states Walsham, IT services and IT system providers are likely to achieve better responses on bids and RFP responses, if they can demonstrate that they have carried out regular penetration testing of the service or system to be provided. "When clients, investors and regulators are aware of an organisation's regular pen testing schedule, this leads to an improved reputation. And who doesn't want that?" Martin Walsham, AMR CyberSecurity: penetration testing is a good way for an organisation to check if its security posture is up to scratch. www.computingsecurity.co.uk @CSMagAndAwards March/April 2024 computing security 31
Page 1: Computing Security Secure systems,
Page 4 and 5: Secure systems, secure data, secure
Page 6 and 7: news TORSION ANNOUNCES FILING OF PA
Page 8: news Greg Wetmore, Entrust. TIME TO
Page 11 and 12: legal focus GETTING YOUR ACT TOGETH
Page 13 and 14: artificial intelligence stratospher
Page 15 and 16: artificial intelligence "In an intr
Page 17 and 18: Computing Security Secure systems,
Page 19 and 20: 2024 predictions ?? ? actors can so
Page 21 and 22: 2024 predictions ?? ? security is t
Page 23 and 24: iometric cybersecurity the previous
Page 25 and 26: data management NEW DATA STATS ARE
Page 27 and 28: energy industry incidents in 2020 -
Page 29: ansomware NEW THREAT ACTORS SEND RA
Page 33 and 34: endpoint protection GETTING STRAIGH

CS Mar-Apr 2024

Create successful ePaper yourself

Delete template?

Save as template?