Penetration testing – Are you ready?

CYSIAM Limited

18th May 2020

Silverstone Technology Cluster (STC) member CYSIAM has recently been awarded CREST accreditation as a provider of penetration testing services.  During this period of increased remote working and opportunistic cyber-attacks, we asked David Allan (CYSIAM CTO) to provide STC members with some increased awareness of what penetration testing is and when it should be used.

“Penetration testing has become a well-used and mis-used term and can often be seen as a box-ticking exercise for compliance” remarked David.  “The National Cyber Security Centre (NCSC) describes penetration testing as a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.”

“We get many companies requesting penetration testing services that are not ready or don’t fully understand what’s involved.  At this point we give them the advice that we will share here with the STC members today. Penetration testing is a great tool for assessing the security of systems and should be used for assurance.  If you’re not sure whether you need a penetration test, start with a vulnerability assessment and make sure the basics of cyber hygiene are in place – or of course just give us a call”.

David provided this low-cost 10-step approach to complete before expending time and budget on a penetration test.

  1. Use strong user and administrator passwords – password managers are your friend.
  2. Enable multi-factor authentication on everything you can – use Authenticator apps.
  3. Update applications and operating systems within 48 hours of update being available or ensure your I.T. provider is doing this for you.
  4. Identify and control / restrict administrator rights to your systems, including those of your I.T. provider and especially owners / directors.
  5. Change default passwords on internet-enabled devices (e.g. CCTV, WIFI Routers) and if possible, host them on a separate network to your critical data.
  6. Set WIFI routers (including home) to only allow connections from trusted devices.
  7. Use a VPN for access to all company data – especially important when using untrusted network access points i.e. cafes.
  8. Conduct regular back-ups and if possible, follow the 3-2-1 rule (3 copies of data, on 2 types of media and 1 held off site).
  9. Conduct in-house awareness training for employees even if it’s just watching an anti-phishing video – there’s loads on YouTube!
  10. Develop and test your incident response / disaster recovery plan.

You are now ready for a penetration test!

David explained “The aim of a penetration test is not to prove that you are not secure, it is to prove that you are!  Conducting regular penetration testing gives you the assurance that your security controls are working.  It also gives your clients the confidence that you take their information security as seriously as your own”.

Importantly, David adds “A penetration test should include the identification and exploitation of vulnerabilities and be delivered in the form of an actionable report.  It should explain the criticality of what was found and the potential impact if exploited.  It should not be confused with a vulnerability assessment, which although a critical part of any security strategy, is sometimes marketed by unscrupulous cyber security companies as a penetration test.”

“In summary” David concludes, “a penetration test should be used when you think you are secure but need to increase your own assurance and your clients’ confidence in your ability to protect critical data and operations”.

About CYSIAM

CYSIAM is based in the historic Mansion House at Bletchley Park.  Our team are ex-military and secure government specialists in offensive security and critical incident response.  We combine our operational experience and world-leading expertise to deliver step changes in capability and organisational resilience.

For more information, contact David Allan at dave.allan@cysiam.com.

Join the cluster today!

Enjoy all the benefits being a member brings and register your interest here.

Register
Contact us

To find out more01327 856108

Send us a message
Founding Members: