Skip links

Why, when and how often should you pen test?

The National Cyber Security Centre (NCSC) defines penetration testing as: “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.”.

Penetration tests are simulated attacks -with no malicious intent- employing the same techniques as attackers do. These tests reveal if your systems or applications will withstand hostile attacks and whether discovered vulnerabilities can lead to further intrusion and exploitation.


Why should you pen test?

Uncover Critical Vulnerabilities in Your Organisation
To help you understand to what extent your organisation’s vulnerabilities can potentially be exploited by hackers. Each penetration test reveals how your systems are vulnerable to potential cyber-attacks and provides recommendations on how to strengthen your cyber security posture.

Furthermore, once vulnerabilities are found, rather than merely reporting the vulnerability, penetration testers use their skills to exploit these vulnerabilities, thereby proving real-world attack vectors against your organisation’s IT assets, data, and staff.

Enable You to Prioritise and Address Risks
At Falanx Cyber, every penetration test that we conduct will conclude with a detailed report of your organisation’s exploitable vulnerabilities, complete with actionable recommendations as to remediate against these vulnerabilities.

Assisting You in Meeting Industry and Regulatory Compliance
Should your organisation need to comply with certain industry standards and regulations including the Payment Card Industry Data Security Standard (PCI DSS), ISO 27001, NIST, FISMA, HIPAA, or Sarbanes-Oxley, regularly conducted penetration testing will contribute towards achieving compliance. By implementing regular penetration tests of your organisation’s environment, you will be demonstrating information security due-diligence; such due-diligence can negate significant fines resulting from non-compliance.

Informing Senior Management About Levels of Risk
Today’s senior management now like to have an understanding as to how able their organisation is at withstanding cyber-attacks. Therefore, our reports come complete with an easily understood Executive Summary. This provides valuable insights into your organisation’s levels of risk and exposure in non-technical terms.


When Should You Penetration Test?

Penetration testing should be undertaken after deployment of new infrastructure and applications as well as post-major changes to infrastructure and applications (e.g. patches and upgrades to software, changes to firewall rules, and updating of firmware). Pen tests generally should be performed right before a system is put into production and once it is no longer in a state of constant change. If a pen test is undertaken too early, your systems or networks can still have changes constantly occurring and as a result, possible security holes might be overlooked.

As an organisation, pushing new services live without having conducted the proper security assessments can leave yourself open to unnecessary risk and a potential infiltrated attack. This risk needs to be evaluated and put in perspective when instigating a new system.


How Often Should You Penetration Test?

Whilst the frequency of testing will be influenced by the criticality of the target, we recommend testing should be at least annually, with monthly vulnerability scanning for Internet facing infrastructure and apps. Certain compliance standards (e.g. the PCI DSS) have recommended intervals for various scan types.

Understanding your company’s line of business is absolutely crucial to successful security testing. With new software and changes being made on a continual basis, systems will need to be retested and tested regularly.

Alec Auer – Senior Penetration Tester


READ NEXT: Case study – facilitating compliance and winning new customers with penetration testing and ISO 27001 gap analysis


About Falanx Cyber
Falanx Cyber puts enterprise-class cyber security services within reach of every organisation. We identify areas of cyber risk threatening the integrity of your business and provide complete end-to-end managed cyber security services to alleviate those risks. Combining proactive managed detection and response services with penetration testing, incident response and consultancy.

Leave a comment