Penetration testing is something that more companies and organizations should be considering a necessary expense. I say this because over the years the cost of data breaches and other forms of malicious intrusions and disruptions are getting costlier. Per IBM Security’s “Cost of a Data Breach Report 2021,” the average cost of a breach has increased 10% year over year, with the healthcare sector having the highest cost breaches for 11 consecutive years. One of the most important statistics that stands out from the report is the average number of days to identify and contain a data breach was 287 days or 41 weeks.
To put that into perspective, if it is January 1st 2022, and your organization’s systems are compromised it would not be until October 14th 2022 that the breach is contained. Of course the characteristics of these breaches varied depending on attack vector, sector, and whether or not security compliance systems were in place.
Key Takeaways for Control 18
Penetration testing is an important aspect of discovery and identifying potential critical vulnerabilities within your organizations external network, internal network, applications, or systems. They provide a valuable insight on how your enterprise and human assets perform.
Penetration testing and vulnerability testing are commonly used interchangeably and this is incorrect. Vulnerability testing is checking for the presence of known vulnerabilities, incorrectly configured assets and so on. Vulnerability testing is virtually completely automated with minimal user validation. Penetration testing actually exploits those weaknesses and tests which business processes or data may be impacted.
Safeguards for Control 18
18.1) Establish and Maintain a Penetration Testing Program.
Description: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Notes: The security function associated with this safeguard is identify. An important reason organizations create or seek third-party penetration testing is to identify ways of intrusion into their systems from different attack vectors. With a clearly defined scope, a red team should be able to identify vulnerabilities in applications and systems, discover any weaknesses in development processes, and test your organization’s critical response capabilities.
18.2) Perform Periodic External Penetration Tests.
Description: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Notes: The security function associated with this safeguard is identify.
When inquiring about external penetration tests from qualified parties, it’s good to do some research into their portfolio of customers, what their pen-testing experience and expertise is depending on your type of organization. Another thing to keep in mind is what type of security models they offer such as white box, grey box, or black box testing.
18.3) Remediate Penetration Test Findings.
Description: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Notes: The security function associated with this safeguard is Protect. After your organization has remediated the critical findings by the pen-testing team, you can then begin remediation the remaining issues as they fall within your organization’s remediation scope and prioritization.
18.4) Validate Security Measures.
Description: Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing.
Notes: The security function associated with this safeguard is Protect. Once testing is concluded, you can then take the write-up and make any necessary changes revealed during testing.
18.5) Perform Periodic Internal Penetration Tests.
Description: Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.
Notes: The security function associated with this safeguard is identify. It is recommended to have annual penetration testing using either white, grey, or black boxes.
Read more about the 18 CIS Controls here:
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets and Software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email and Web Browser Protections
CIS Control 10: Malware Defenses
CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense
CIS Control 14: Security Awareness and Skill Training
CIS Control 15: Service Provider Management
CIS Control 16: Application Software Security
CIS Control 17: Incident Response Management
CIS Control 18: Penetration Testing