How Penetration Testing Protects Personal Information

What is personal data? As you might expect, personal data is any information that helps to identify you. Demographic details like name, location and gender etc. are low level. This information alone does not necessarily give away your identity as there may be many users that share your name, age or date of birth. High level personal details such as national insurance number, drivers license number and passport number can tell a person exactly who you are and are strong indicators for identity confirmation. In Europe, GDPR laws state the requirements for data privacy and security. Learn more about GDPR here.

Why is personal data protection important?

It is important because it is uniquely yours; it is used to locate you, contact you or identify you. More personal information is out there than ever before because the internet requires information to identify us as a customer. It is also in the interest of companies to offer to store payment information, to make it easier for us to purchase products easier.

Social media has accelerated the rate of online purchases to a higher level than ever. Now, thanks to the pandemic, this is higher than ever before. Unfortunately, that means that there are large stores of highly sensitive personal information out there in the world. Naturally, there will be malicious agents looks to take advantage. This makes us more vulnerable than ever to cybercrime, with online theft raising at an alarming rate. Online shopping has increased by almost 30% due to the pandemic. Many experts believe the current financial climate paired with the increase in online purchases could be stewarding in a golden age of cybercrime. 

Did you know?

According to the Crime Survey For England and Wales, there were an estimated 3.8 million incidents of fraud in the year ending March 2019. In a staggering 63% of cases, there was no contact between the victim and offender; fraudsters preyed on victims over the phone or online. In a scarier statistic, over 76% of these offences caused the victim to incur a financial loss. 

What happens if there is a data breach?

Data breaches can be disastrous for companies. Recently, The ICO (Information Commissioners Office) fined British Airways 20 million pounds for a violation of 400, 000 customers personal data. Shockingly, for publicly traded companies, data breaches can also significantly impact a companies’ share price.  Less directly, a data breach can wreak havoc on a companies reputation, especially if it is a financial institution that is supposed to be protecting the interests of customers or clients. That isn’t only for giant corporations, word of a data breach can affect the customer trust for SMEs too.

Did you know?

One of the most common reasons for data breaches in businesses is social engineering!

How Penetration testing prevents data breaches

Penetration testing (or pen testing) gives business owners a real-life insight into the risks to their business. It tells your IT security team, and your company at large, what risks your business faces and how they are likely to manifest themselves if a hacker were to try and gain access to your network. To prevent data breaches due to web app vulnerabilities and social engineering, consider testing these in the company BC/DR plan which dictates how the business will respond to and manage a cybersecurity incident to ensure business operations continue.

Omni Cybersecurity is a world-renowned company that operates with a unique combination of passion and attention to detail. We protect and ensure your business’ future. We have experience supporting businesses of every size and have spent years providing best-in-class CREST certified pen testing, PCI DSS and SOC monitoring

We help our customers identify risks through expert knowledge and world-leading penetration testing and cybersecurity operation. We create air-tight business continuity plans for our clients with clear and practical steps that will keep your business operating and making a profit, even in the light of seemingly unforeseeable or uncontrollable circumstances. 

Contact us to enquire about out penetration testing services.

How Penetration Testing Helps Business Continuity

Why Penetration Testing Is The Key To Business Continuity

What is business continuity?

Businesses face huge risks to their daily survival. These include things like natural disasters (e.g. floods and leaks), IT security issues, information protection leaks and the loss of critical employees. These could have far-reaching and disastrous effects on your organisation, the impact of which could eventually affect profit. 

Business continuity is the plan that your organisation has in place to mitigate the impact of these risks, keeping the wheels of your business running. A good business continuity plan ensures that no one outside of the department in question is affected, especially your clients or customers. 

How businesses can ensure continuity?

People at every level of your organisation must be held accountable. It’s up to senior leaders to emphasise the importance of business continuity and communicate this to the rest of the team. They are responsible for creating a culture of ownership. 

It is an excellent way for everyone in the company to show that they are committed to the long-term health and prosperity of the organisation. Business continuity plans should be regularly updated, and critical team members at every level should be made aware of it.

What is disaster recovery?

Disaster recovery forms an integral part of business continuity plans. Business continuity focuses on the ability to carry on operating despite adversity. Disaster recovery, on the other hand, is concerned with fixing acute problems when they arise. Good disaster recovery and business continuity strategies are Integral in the long term survival, prosperity and profitability of your organisation. 

Experts have described disaster recovery as a ‘fire escape’ for businesses to take when things get suddenly and drastically difficult. Unlike business continuity, disaster recovery covers the more extreme problems which are harder to fix without preparation. These include human-made disasters like fires and major accidents, as well as natural disasters like earthquakes, tornados and hurricanes. 

Could Penetration Testing Be The Key?

Penetration testing & pen-testing gives business owners a real-life insight into the risks that are posed to their business. It tells your IT team, and your company at large, what risks your business faces and how they are likely to manifest themselves if a hacker were to try and gain access to your network. In terms of building a realistic business-continuity plan, this information is invaluable. 

Who Should You Speak To Regarding Your Business’s Future? 

Omni Cybersecurity is a world-renowned company that operates with a unique combination of passion and attention to detail. We protect and ensure your business’ future. We have experience supporting businesses of every size and have spent years providing best-in-class CREST certified pen testing, PCI DSS and SOC monitoring

We help our customers identify risks through expert knowledge and world-leading penetration testing. We can help support your BCDR plan to help keep your business operating and making a profit, even in the light of seemingly unforeseeable or uncontrollable circumstances. 

Find out why the biggest companies in the world rely on us today.

Link: https://www.omnicybersecurity.com/contact/

References

https://www.cio.com/article/2381021/best-practices-how-to-create-an-effective-business-continuity-plan.html

https://searchdisasterrecovery.techtarget.com/definition/disaster-recovery

https://www.mha-it.com/2017/09/04/separate-security-disaster-recovery-plans/

 

Everything you need to know about Penetration Testing

This article contains everything you need to know about cornerstones of IT security, penetration testing – otherwise known as pen-testing. We’re going to go over what penetration testing is and what types of pen testing there are, give some examples of how your organisation can utilise it and assess how essential it is to your business. We will periodically be updating this article to provide answers to the most frequently asked questions about penetration testing

Omni Cybersecurity is a global cybersecurity company that operates with passion, attention to detail and with a dedication to meeting the needs of your business. We support businesses of every size, providing best-in-class CREST certified pen testing, PCI DSS and SOC monitoring. 

Speak to a world-leading cyber security expert about your business now.

What is meant by penetration testing?

Penetration tests are intentional attacks on your IT system, executed to expose the weak spots in your system’s defences, including cross-site scripting, source codes, logic, and network configurations. Penetration tests give your IT team an understanding of the vulnerabilities in your infrastructures. 

What is penetration testing with example?

Penetration tests (or pen tests) are attacks on your companies’ software and hardware systems, carried out by ‘ethical hackers’ to expose your system’s vulnerabilities.

One example is a web application pen test. Web apps, browsers and plug-ins can house sensitive financial or personal data, so hackers are increasingly putting their efforts towards gaining access to them. The test would examine the endpoint of every web application.

What are the types of penetration testing?

They are four types of penetration testing:

  • External network pen tests involve an ethical hacker (hacking on behalf of you instead of themselves), trying to break into your organisation.
  • Internal network pen tests are similar, but the It professional doing it has a degree of existing network access.
  • Web application pen tests investigate the weakness of web apps, browsers and plug-ins, as they often house sensitive financial or personal data.
  • Social engineering pen tests identify vulnerabilities in your workforce or workplace. 

Is penetration testing difficult?

Some experts have compared penetration testing to a financial audit. Your financial team does their day-to-day work to track profit, loss and income, and an external group comes in to confirm that the internal team’s methods are up to scratch. Though your internal IT team may be skilled and experienced, penetration testers are specialists. It is essential for the survival of your business that you are as prepared as possible for risks to your day-to-day operations.

Watch this space for more answers to your penetration testing questions.

Can Hacking Ever Be Considered Ethical?

What is hacking?

The phrase ‘hacking’ conjures up images of devious cybercriminals. However, in the pure sense, a hacker is anybody who uses their knowledge and expertise in computer software or hardware to break down security measures on computers, networks or in applications.

A hacker can be designated unethical, illegal or even morally based solely on whether the hacker has permission to enter a system or not. Hackers who work on behalf of businesses can use their expertise and skill to find the holes that can be exploited by their malicious counterparts. 

What is ethical hacking?

For the past few weeks, this blog has covered the way that hackers can use their unique skills to help instead of hurt business owners. An example is penetration testing, which is when ethical hackers undertake a controlled invasion of your security system with your permission, to see how vulnerable your system is. 

What kinds of hacking are there? 

Black hat hackers are those who use their skills for either their financial gain, who use hacking for espionage or as a form of protest. Common hacking activities include spreading malware or stealing data or details. 

White hat hackers are hackers that use, as we’ve mentioned above, their powers for good instead of evil. They are also known as ethical hackers. They use their skills and expertise to find security holes or vulnerabilities for clients. Pen testing is part of the arsenal of white hat hackers, helping them to simulate the techniques that could be used by black hat hackers. Without white hat hackers, we wouldn’t have the vast arsenal of tools and defences against hostile forces that we do. You can identify a white hat hacker because they have established formal consent before entering a business’ system. 

Grey hat hackers have a motivation that is neither all good nor all bad. Grey hat hackers are people that make their way into a system without the owner’s permission or knowledge. If there are vulnerabilities or issues present, the hacker will present them to the owner and offer to fix the problem for money. Grey hat hackers aren’t necessarily looking to hack people’s system to exploit them, but more so get remuneration for something that they weren’t tasked to do. Still illegal, but less malicious than traditional hacking practices which are for clear financial violation. 

What is the difference between ethical hacking and penetration testing?

Penetration testing is simply a process which identifies the existence of flaws, risks or ‘unreliable environments’ in your system’s security. It emulates the behaviour of a malicious hacker and gives an accurate picture of how the system could be violated. Organisations hire penetration testers and conduct penetration tests (also called pen tests) to educate their IT team on what parts of the system are vulnerable and need strengthening.

Penetration testing is often carried out on one aspect of part of a system, whereas ethical hackers take into account the hacking risk of every part of the system. Ethical hackers require broader and more general access to systems than penetration testers,  to understand how the system works as a whole. Ethical hackers take on the responsibility of an entire system and also use other security-related techniques and defences. 

Click here to learn more about penetration testing or contact us to discuss what we can do for you.

What is CREST, and why is being CREST accredited so important?

What is penetration testing?

Penetration testing is the intentional execution of attacks on your IT system. they are undertaken by IT professionals, to expose the weak spots in your system’s defences. Penetration tests give a picture of the security vulnerabilities of your website, network and systems.

What is a CREST penetration certificate?

CREST presents the industry standard of practice, service and customer satisfaction. CREST stands for ‘Council of Registered Ethical Security Testers’.

The organisation was initially set up as a response to unregulated penetration vulnerability testing. A lack of regulation led to a lack of uniform methodology and varying outcomes for testing subjects. It is a not-for-profit accreditation body that seeks to establish professional standards for penetration testers. CREST accreditation represents companies that are recognised as offering the highest-quality and most professional network or website penetration testing.

What does it mean to have a CREST certification?

There are three levels of CREST accreditation, all requiring different levels of experience and expertise.

To be recognised as a ‘CREST practitioner professional’, testers must take an entry-level exam and have 2,500 relevant hours of experience. Testers at this level should be able to conduct routine assignments under general supervision.

To be accredited as a ‘CREST registered professional’, testers must take a more extensive set of exams than above. These testing professionals will have 6,000 hours (3 years plus) of relevant and frequent experience and be in a position to undergo testing projects by themselves.

The most prestigious acknowledgement for testers is to be designated a ‘CREST certified professional’. These professionals will have at least 10,000 hours (5 years) of experience. This certification recognises that these testers are capable of running full testing projects independently, as well as managing and coordinating teams.

The benefits of using a CREST accredited member company

Using a CREST certified professional means that you are accessing services that are highly skilled, knowledgeable and competent. To be CREST certified, practitioners must demonstrate that they have met industry standards. Potential CREST certified practitioners must submit ‘policies, processes and procedures’ relating to the services they offer. CREST assesses everything and determines whether they fit the criteria of a CREST member.

An external body should validate pen testers (or testing companies) because they are likely to come into contact with highly sensitive and critical information. After all, the goal of network penetration testing is to see how airtight your company’s security processes are. To put the responsibility of testing your security system to someone untrustworthy would be disastrous.

How do I join CREST?

Firstly, all CREST members are required to sign NDAs. The CREST team will then check company documents such as professional indemnity insurance and contracts. Next, they assess the quality processes and procedures of the individual and their organisation. This includes management of client contracts, complaint handling and conflict of interest policies.

As a member of CREST, the governing body reserves the right to carry out onsite audits of business premises. CREST has stringent standards not only for CREST professionals but also for contractors working with CREST-accredited companies or assisting CREST professionals.

Penetration Testing: The Process

Last week we wrote about an important aspect of cyber security: penetration testing. This week, we are going to cover how penetration testing will look practically for your organisation.

Scoping

Scoping is the initial consultation between your organisation and the penetration testing company to outline the initial rules of engagement. This stage is to decide what the possible target(s) will be for the penetration test and what kind of information you want to collect from the testing process. 

The signing of the NDA

A non-disclosure agreement (or NDA) is a contract that protects confidential information concerning clients, customers and staff. Reputable companies will make this a priority in the early stages of your working relationship. 

Intelligence gathering

During this phase, the testing company will use a variety of methods to learn about the targets you have discussed. This includes internet research and building up intelligence of relevant threats. The penetration testing team will search through all available public information (also called open-source), as well as more specific information that you might be asked to provide. 

As covered last week, the information and intelligence provided by the client will vary greatly depending on the security operations being conducted. These would include internal penetration tests, external penetration tests, and tests where the testing company is provided with varying levels of information beforehand. 

The amount of information that you give your penetration testing team will depend on the nature of the targets you are testing. 

Vulnerability assessment

After understanding the landscape of your business and collecting all the necessary information, the tester will do more practical work to see how vulnerable your system is. This often involves sending probes to target networks, using the information to conduct additional probes and deciding what part of your network/systems would most benefit from a full-scale penetration test. 

Proposal

The proposal will formally state, with a degree of specificity, how tests will be executed. This includes agreed actions, processes, timings and costs. 

Permission

The testing team will get permission from server and firewall hosting providers (anything that traffic might pass through) to create a full-scale and realistic testing environment. 

Testing

Once there is a clear plan of action, the next step is to execute the penetration test. Experts, sometimes called ‘ethical hackers’, use their skills to infiltrate networks and gain access to places that they shouldn’t be able to. 

Not every vulnerability outlined in the preliminary intelligence and probing will show issues that have to be resolved. A good penetration tester will focus their efforts on vulnerabilities that are specifically relevant to the target system. 

Reporting

Most tests begin with an executive summary; listing the risks found within your system and the testing strategies used to identify them. There will be a rating system of low, medium and high for your team to quantify how critical each risk the testing team found and how badly it could affect your business. This will help your business make important decisions and choose which threats to focus on addressing. 

 

The report will also list more detailed technical information. Your technical team will use this part of the report to take action and fix the security issues that were brought to light during the penetration test. 

Retesting

Once the vulnerabilities in your systems have been identified, and action has been taken to strengthen them, you may decide to retest your systems. After all, a penetration test is the only real way to determine whether or not your system is impenetrable. There is also the unfortunate possibility that new vulnerabilities may arise.

For more information, contact us to begin scoping for your penetration test via phone:0121 709 2562, e-mail:info@omnicybersecurity.com or by completing our penetration testing enquiry form.


 

How Important Is Mobile App Security?

Mobile application security refers to the software, practices and methods designed to keep applications on Android, iOS and Windows safe from malicious agents. Mobile application security (or app security for short) covers apps on both smartphones and tablets. Apps are central to the function of many large companies (including banks and financial institutions); they store highly sensitive and valuable data. 

The importance of mobile app security

The ability to protect an app from intrusion is crucial to the function and reputation of many businesses. A breach could put entire companies at risk; banks present their apps as extensions of their company, and people expect them to be as secure as a bank vault. Digital users spend over half of their time on technology using apps, so it is essential that the risks to users are as well-documented and understood as resources will allow. 

Adequate security requires an understanding of what unique risks are present for mobile apps as opposed to regular desktop or laptop use. There needs to be a consideration both of the app itself and all the places that the app can exist (i.e. different operating systems and devices. 

An example is the ‘Anubis banking trojan’, which enters the user’s device by downloading compromised apps – some of which are available in the Android app store. Once a device is infected, the virus sends and receives SMS messages, scans contact lists, shares device locations and steals personal files. Cybersecurity researchers discovered a similar banking trojan that was successfully manipulating the apps of an incredible 24 banks in Spain. 

What are the unique risks that mobile applications face?

  • Authentication: Poor authentication procedures can allow hackers or malicious apps permission to access files and perform actions through an app on a device.
  • Encryption: Data encryption allows information to travel from one place to another without being seen or intercepted. Inferior encryption technology can leave data visible to malicious apps or criminals.  Individuals and companies tend to be less careful about what they say when they know that the message is encrypted. With sub-par encryption, individuals or companies could share highly sensitive information that they believe is safe.
  • Other apps: Storing or leaking data that could be read by malicious apps on a user’s phone. Just as with a computer virus, apps can exist as viruses on someone’s device and seek to pick up information that is left unguarded.  Alongside other malicious apps, mobile applications are vulnerable to individuals on the same wifi network as the victim.

What are malicious agents looking for?

In most cases (80%) malicious agents are looking for credit or debit card information or personally identifiable information (PII). Hackers often lift PII for wholesale identity theft. Malicious agents also obtain log-in information to gain access to your device or personal accounts. Some hackers also place bugs or bots on people’s devices, giving them access to secure business networks.

When asked, only 33% of companies conducted penetration tests to see if their infrastructure was at risk. That is worrying when we consider the amount of personal information that apps store and have access to. 

Mobile App security best practices

Consulting an expert is the best way to make sure that your business isn’t left vulnerable to mobile application security risks. There are mobile application security specialists that can not only advise your business but also put protection software in place to keep your business as safe as possible. 

Educate your team about the risks that mobile apps can present. Teach them to identify when an attack is underway and how to recognise phishing attempts. Have a well-informed and up-to-date response for when attacks occur.

You should also only download apps from trusted sources. It is good practice to have a list of approved websites where team members are permitted to download apps. Remind them that even apps from legitimate websites can harbour viruses, so have a plan in place for if something unexpected happens. 

Remind app users not to leave a session on while they aren’t using. It is better to sign out and have to sign back in next time, especially for apps with highly-sensitive information. 

Perhaps even more than desktop websites, mobile applications are becoming part of the fabric of modern society. We use them to bank, shop and organise our lives. The innovation improves our lives but has a drawback. They harbour lots of information about our financial and commercial lives that should never get into the wrong hands. Sometimes it does, and companies and individuals need to be more aware than ever about how important mobile application security is. Some companies trade exclusively from an app, and if it’s compromised, it could threaten the daily operations of their business as well as the entire reputation of the company. 


References

https://www.synopsys.com/glossary/what-is-mobile-application-security.html

https://digital.ai/glossary/app-security

https://fraudwatchinternational.com/mobile-applications/what-is-mobile-app-security/

https://www.appsealing.com/mobile-app-security-a-comprehensive-guide-to-secure-your-apps/

Top Five Pen Testing Questions

Penetration tests are intentional attacks on your IT system, executed to expose the weak spots in your system’s defences, including cross-site scripting, source codes, logic, and network configurations. Penetration tests give experts an understanding of the problems with the technical infrastructures that your company depends on.  

1. What types of pen testing are there?

There are three main groups of penetration testing:

Network pen tests: The most commonly ran pen test. Since networks have both internal and external access points, it is essential to run tests from both sides. 

External pen tests involve an ethical hacker (hacking on behalf of you instead of themselves), trying to break into your organisation. The test will be done off-site, as a hacker would naturally work remotely. It is done with consent from your organisation and simulates the action of a malicious hacker trying to get into your network. 

Internal pen tests are undertaken for a different purpose. The objective is the same as an external test, but the It professional doing it has a degree of existing network access. Internal tests mimic the behaviour of either a hacker once he has access to the system or an untrustworthy employee trying to further existing access. 

Read our blog post external vs internal pen-testing.

Web application pen testsWeb apps, browsers and plug-ins can house sensitive financial or personal data, so hackers are increasingly putting their efforts towards gaining access to them. This test examines the endpoint of every web application that a user might have contact with, so requires extensive time and planning from IT professionals. Web app test methods are continually evolving, as is the number of threats to them. 

Social engineering pen tests: Social engineering penetration tests identify your risk for malicious agents to exploit vulnerabilities in your workforce. Hostile forces can access your systems through deception, manipulation and unauthorised access. Social engineering techniques include phishing, dumpster diving, eavesdropping, shoulder surfing and tailgating. 

2. What is the goal of pen testing? 

There is a misconception that pen testing is a method of identifying vulnerabilities. Although the result is that they expose the risks present in your systems, pen-testing shouldn’t be an organisation’s primary method of identifying these. Penetration testing should take place after your organisation has been fortified by your (internal or external) IT team, as a way to gain assurance of your organisation’s safety. 

Some experts have compared penetration testing to a financial audit. Your financial team does their day-to-day work to track profit, loss and income, and an external group comes in to confirm that the internal team’s methods are up to scratch. 

3. How is pen testing done?

According to the National Cyber Security Centre, most tests follow a similar process: initial engagement, scoping, testing and follow up. There will be a written report and a severity rating for any risk factors that are identified. For this kind of test to be done, you should have an internal vulnerability assessment and management process. 

There are three main ways that pen testing is done:

Black box testing: In black bost testing, the client doesn’t provide the IT professional with any information about their infrastructure. They will give a URL or IP address. In some cases, they will only give the company name. 

White box testing: In a white box test, the company undertaking the pen test is provided with detailed information about the applications and infrastructure. Having extra information allows for a more detailed and extensive testing process. It is common to give architecture documentation and source codes.

Grey box testing: Grey box testing, as you might guess, is a hybrid of black and white box testing. Clients provide the testing company with snippets of information to assist in the testing process. This method is significantly more extensive than black-box testing but more cost-effective than white box testing. 

4. Is pen-testing difficult?

It can be challenging to decide on the scope of the pen test for organisations without unlimited resources. The failure to decide on your highest priorities can allow the focus of the testing to become less relevant. This can mean that significant parts of your organisation harbour critical risks and vulnerabilities. A pen test with a broader scope is likely to give your organisation less in-depth information than a test with a specific objective or area of concern. 

Pen testers and their clients often work with highly classified and sensitive information. Not a lot of information is shared, and so pen testers don’t have many resources with which to model or compare pen test of similar organisations. If data or records of previous penetration tests were kept anywhere, they would be vulnerable to fall into the hands of hackers. Companies don’t want the details of their vulnerabilities to be shared. It is, therefore, difficult for IT professionals and pen tester to have a more comprehensive understanding of what risks are out there. 

5. What does an effective penetration test consist of?

A clear strategy. 

There must be a high-level view of the risks and the impact that these risks could have on your organisation. It should be laid out clearly in writing. Members of staff from every department, and mainly non-technical staff from the department involved in the penetration test, should be able to understand it. 

A way to categorise risk

When vulnerabilities or risks arise, your IT department must be able to communicate the risks level to senior decision-makers quickly. The ability to categorise risk is especially important when something is system-critical, and a staff member needs to take action. 

A way to convey a risk’s impact

During or after a penetration test, it is essential to assess both how likely something is to happen and the impact it will have if it does. The specific impact something will have on the organisation also needs to be communicated to decision-makers. A way to measure both of these things is vital in making the penetration test effective. 

Multiple options for remedy

Knowing what’s wrong is essential, but an excellent pen test will convey exactly how you can solve the problem that has arose. These should never be generic, should never assume that the person reading has extensive knowledge, or that internal staff already have the skills to fix the issue.

 

How often should I schedule a penetration test?

The needs of every organisation or business are different, and most companies are aware that penetration testing should take place regularly. However, companies can find it challenging to determine precisely what regularly means to them and how to determine when a pen test should take place.

If the amount of time between penetration tests is too long, then the opportunities and likelihood of a successful cyberattack increase. If a business only instigates a pen test as often as the maximum amount of time stipulated in law or regulations, then cybersecurity risks increase exponentially. The worst-case scenario is to conduct a pen test only once a cybercriminal has made an attack.

What is a penetration test?

A penetration test simulates a network attack to search for vulnerabilities, including new ones, and remove them. A pen test looks at all aspects of the IT security management system to locate vulnerabilities, exploit them, and document results.

An external penetration test assesses network defences, while an internal penetration test demonstrates what a cybercriminal could do once inside your network. This gives a company a unique insight into their security risks.

How to determine when your business needs a penetration test

Determining when your company needs a penetration test comes down to three aspects; riskcompliance, and change.

Risk: The likelihood, impact, and tolerance to cyber risk is the first consideration. The chances are higher for companies that are high-value or high-profile. Value is high when a company holds a lot of data and information that can be leveraged by a cybercriminal for financial gain. The profile is high when a company often appears in the media or when an organisation is in the media for poor political, environmental, or human rights actions. Risks are higher for all companies when they use open-source software that is vulnerable to automated attacks.

Compliance: Many businesses are regulated and have industry-specific compliances they must follow to operate legally. ISO 27001 ISMS (information security management system) states that penetration testing should occur at least annually and when IT projects are implemented. A pen test is a component of the risk assessment process, highlighting weaknesses to internal devices, web apps, and internet-facing IP addresses. A pen test is part of the continual improvement process, verifying that controls still work, identifying new weaknesses, and fixing them.

PCI DSS (payment card industry data security standard) governs any part of a system that is involved with the mechanism of cardholder data. The standard stipulates that annual penetration tests should take place when significant infrastructure modifications or upgrades take place.

Change: A pen test should occur when critical infrastructure, components, policy, system processes, or software changes occur. A pen test should occur regularly in a changing environment, and whenever a security patch is installed, new web apps or infrastructure are added, significant network or infrastructure changes occur, or when offices are added to the network or the existing office location changes.

Conclusion

It makes sense for companies to plan for cyber safety from day one and perform penetration testing once or twice a year. OmniCyber recommends level 1 penetration testing quarterly, dependent on risk, and level 2 penetration testing annually, but more often if the company is high-value or high-profile.

The needs of every organisation or business are different, and most companies are aware that penetration testing should take place regularly. However, companies can find it challenging to determine precisely what regularly means to them and how to determine when a pen test should take place.

If the amount of time between penetration tests is too long, then the opportunities and likelihood of a successful cyberattack increase. If a business only instigates a pen test as often as the maximum amount of time stipulated in law or regulations, then cybersecurity risks increase exponentially. The worst-case scenario is to conduct a pen test only once a cybercriminal has made an attack.

Contact OmniCyber to book a penetration test today and protect your business.