Obviously my personal favourite control as it’s my day job! Penetration testing takes all the controls we’ve discussed so far and has free reign to re-run them and also use any other techniques to try to gain access to the target. It’s fun because the aim is to access things you shouldn’t be able to or better still subverting processes.
It’s easy to spend lots of money on testing and think it’s assured all your controls, however scoping is key and makes testing far more effective. If you’ve not had any testing carried out before I’d always recommend taking a broad brush approach even if it’s time limited. As discussed in the Inventory control, if you miss old or poorly configured systems from the scope these could easily be the way in for an attacker and therefore give you a false sense of security.
That said if you know your Inventory is good and you have iterated through vulnerability management and remediated a few times, it’s likely you’ll be in a relatively good state from an infrastructure point of view. Infrastructure testing and application testing are very different, with the latter being more manually focused as tools are generally poor at finding application layer issues. Equally a good application test would always include the infrastructure supporting it.
Unless you are a penetration tester I would not recommend carrying out testing yourself, but if you are a budding tester try your hand at it in the vulnerability management control and then have an independent test carried out.
Take a prioritised approach when scoping which assets should be tested:
- Which are most important to your business?
- Which are in the most risky position i.e. Internet facing?
- Which do you have least confidence in?
Functionality rich web applications are likely to come top, if you have them. However, if your business is more internal you may just need a relatively light touch externally and may get more value from some sensible internal testing.
We specialise in manual application testing and infrastructure testing and our focus is working with you to make sure the scope returns the best value for your business.