A penetration test, is an authorized simulated cyber attack on a computer system, performed to assess the security of the system.
The UK National Cyber Security Centre describes penetration testing as: "A method of gaining assurance in the security of an IT system by attempting to breach some or all of the security of that system, using the same tools and techniques that an adversary might use."
The process typically identifies target systems and a specific goal, then reviews available information and undertakes various means to achieve that goal.
Usually a penetration test should be performed six-monthly or annually, depending on the criticality of the environment, or even if there is a legal requirement.
The ideal condition for the penetration test to be most effective is that a cycle of vulnerability remediation has occurred on the systems to be targeted by the penetration tests. This way it is possible to test the real resilience of a target system.
Why perform a penetration test?
The main reason for a company to perform a pentest is mainly to "test and know the resilience if its systems." Before performing a penetration test, it is important that the company first understands the vulnerabilities found in its systems, makes the necessary remediation, and only then tests the resiliency through a penetration test.
Vulnerability Assessment
A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) vulnerabilities in a system. Such assessments can be conducted on behalf of a number of different organizations, ranging from small businesses to large regional infrastructures. Vulnerability assessment has many things in common with risk assessment.
Assessments are usually conducted according to the following steps:
Cataloging assets and capabilities (resources) in a system
Assigning quantifiable value (or at least rank order) and importance to these resources
Identifying the vulnerabilities or potential threats to each resource
Mitigating or eliminating the most serious vulnerabilities to the most valuable resources
"Classical risk analysis is primarily concerned with investigating the risks surrounding a plant (or some other object), its design, and operations.
Conclusion
Connected systems are susceptible to attacks of various types and consequences. New breaches are known daily, and most of them are reported through defense or control agencies, such as NIST. The use of discovery and scanning tools allows companies to have immediate access to corrective information. They also allow them to maintain a patch history and increase their cybersecurity score.
By maintaining an active posture in relation to the cyber threats encountered, companies develop their cyber resilience and through penetration testing, these companies have the opportunity to test and know the flaws that their systems are subject to.
Comments