CIS Control 18 Penetration Testing | The State of Security


Penetration testing is something that more companies and organizations should be considering a necessary expense. I say this because over the years the cost of data breaches and other forms of malicious intrusions and disruptions are getting costlier. Per IBM Security’s “Cost of a Data Breach Report 2021,” the average cost of a breach has increased 10% year over year, with the healthcare sector having the highest cost breaches for 11 consecutive years. One of the most important statistics that stands out from the report is the average number of days to identify and contain a data breach was 287 days or 41 weeks.

To put that into perspective, if it is January 1st 2022, and your organization’s systems are compromised it would not be until October 14th 2022 that the breach is contained. Of course the characteristics of these breaches varied depending on attack vector, sector, and whether or not security compliance systems were in place.

Key Takeaways for Control 18

Penetration testing is an important aspect of discovery and identifying potential critical vulnerabilities within your organizations external network, internal network, applications, or systems. They provide a valuable insight on how your enterprise and human assets perform.

Penetration testing and vulnerability testing are commonly used interchangeably and this is incorrect. Vulnerability testing is checking for the presence of known vulnerabilities, incorrectly configured assets and so on. Vulnerability testing is virtually completely automated with minimal user validation.  Penetration testing actually exploits those weaknesses and tests which business processes or data may be impacted.

Safeguards for Control 18

  1. Establish and Maintain a Penetration Testing Program.

Description: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.

Notes: The security function associated with this safeguard is identify. An important reason organizations create or seek third-party penetration testing is to identify ways of intrusion into their systems from different attack vectors. With a clearly defined scope, a red team should be able to identify vulnerabilities in applications and systems, discover any weaknesses in development processes, and test your organization’s critical response capabilities.

  1. Perform Periodic External Penetration Tests.

Description: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.

Notes: The security function associated with this safeguard is identify.

When inquiring about external penetration tests from qualified parties, it’s good to do some research into their portfolio of customers, what their pen-testing experience and expertise is depending on your type of organization. Another thing to keep in mind is what type of security models they offer such as white box, grey box, or black box testing. 

  1. Remediate Penetration Test Findings.

Description: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

Notes: The security function associated with this safeguard is Protect. After your organization has remediated the critical findings by the pen-testing team, you can then begin remediation the remaining issues as they fall within your organization’s remediation scope and prioritization. 

  1. Validate Security Measures.

Description: Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing. 

Notes: The security function associated with this safeguard is Protect. Once testing is concluded, you can then take the write-up and make any necessary changes revealed during testing. 

  1. Perform Periodic Internal Penetration Tests.

Description: Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box. 

Notes: The security function associated with this safeguard is identify.  It is recommended to have annual penetration testing using either white, grey, or black boxes.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

CIS Control 8: Audit Log Management

CIS Control 9: Email and Web Browser Protections

CIS Control 10: Malware Defenses

CIS Control 11: Data Recovery

CIS Control 12: Network Infrastructure Management

CIS Control 13: Network Monitoring and Defense

CIS Control 14: Security Awareness and Skill Training

CIS Control 15: Service Provider Management

CIS Control 16: Application Software Security

CIS Control 17: Incident Response Management

CIS Control 18: Penetration Testing



Source link