Over the past few years, “pen test” has become something of a buzzword. Some companies swear by pen tests, others perform multiple a year and certain cyber insurance providers won’t even talk to you unless you can verify that you’ve done one. It comes as no surprise that Stryves’s clients often ask whether they need to do a pen test. This can be a difficult question to answer in black and white terms, but there are a few rules of thumb that can be used to help.
Most people are familiar with the word but not everyone knows what a pen test actually is. Pen test is short for penetration test which is a security test to see how far a hacker can penetrate your system/network/application etc. In this instance, the hacker is a “white-hat” (or ethical) hacker. In other words, they have all the skills of a hacker, but they use them for good, rather than evil.
A white-hat hacker will, with your permission and in line with a pre-defined scope, attempt to bypass your security defences. This is a very effective way to test your defences and see how well they would stand up in the event of an attack.
Some compliance standards specifically require pen testing. For example, PCI DSS requires an annual, clean (in other words, with zero issues found) pen test. In these cases, it’s fairly black and white: yes, you need to do a pen test.
Other compliance standards are a little greyer. For example, ISO 27001.
ISO 27001:2013 control A.12.6.1 states: “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.”
Although ISO 27001 does not specifically require you to perform a pen test, you may still need to do so to meet the requirement. As the standard requires evaluating exposure to risks, if you have systems with standard functionality and architecture, a vulnerability analysis may be enough. However, if your systems are more complex or highly customised, a vulnerability analysis is unlikely enough to be able to satisfy this requirement.
The general rule of thumb is to perform a pen test at least annually. In certain circumstances, you may need to perform a test more frequently than this, for example, if there has been a significant change to the system or architecture. It is also a good idea to pen test a new system or application before deployment. Ideally, a pen test on such systems or applications should be one of the final steps prior to deployment. If you perform one too far in advance of deployment, the system or application you test, may not be the same as the one deployed. You would, therefore, in reality, be deploying an untested system or application.
There are other factors in deciding whether, or how often to pen test. The “risk appetite” of your organisation is an important one. How much risk is your organisation comfortable carrying?
Deciding this will depend on a number of factors. For example:
In short, while pen testing is, in most cases, a good idea, it is not always necessary. A lot will depend on the system or application you’re considering testing, your compliance obligations, and your own organisation’s “risk appetite”. Our experts in Stryve are always happy to talk through the options and alternatives with you.