What is a Cyber Penetration test?
Penetration testing, like vulnerability analysis and security audits, scrutinize one or several locations, networks, security systems, etc, for vulnerabilities in their security for the purpose of remediating found issues. However, Penetration Testing takes this a dozen steps further by actually confirming the presence and exploitability of these vulnerabilities by simulating a cyber-attack as realistically as possible. This can lead to finding previously unknown or undetected vulnerabilities, as well as giving an IT security team a confirmed report of where their vulnerabilities exist and what deserves the greatest focus based on their unique network environment.
Who needs a Penetration Test?
Penetration tests are primarily done against organizations that are required by law or accreditation agency such as PCI (Payment Card Industry) or HIPPA (Health Insurance Portability and Accountability Act) to receive a penetration test as an added measure for security purposes. Organizations who are required by law or who wish to be within certain compliances must adhere to their requirements to maintain this certification. There are many reasons an organization may wish to do this, such as improving their clients’ trust in their security policies, meeting a specific client’s needs and expectations for security, and to be able to proudly display their meeting this certification as a business sales tactic.
When is a Penetration Test Required?
- PCI DSS Compliance requirements
- Required annually prior to a compliance audit, and is recommended after a vulnerability assessment and remediation of the found vulnerabilities.
- Should be conducted two to three months prior to an audit
- Required after a security incident resulting in the disclosure of confidential information. Should be conducted after a full forensic analysis of the compromised system(s) has been conducted.
- All penetration tests must be conducted according to the NIST Security Framework and test for standards on those systems which are directly affected by this compliance requirement, specifically those which contain customer/client personal information, personal identifiable information (PII) and payment card details.
- HIPPA Compliance requirements