ITM Tech Cybersecurity Essentials Booklet - Flipbook - Page 37
18.1 Establish and Maintain a
Penetration Testing Program
N/A
Identify
18.2 Perform Periodic External
Penetration Tests
Network
Identify
18.3 Remediate Penetration Test
Findings
Network
Protect
18.4 Validate Security Measures
Network
Safeguards Total
5
IG1
0/5
IG2
3/5
IG3
5/5
Test the effectiveness and resiliency of enterprise assets through
identifying and exploiting weaknesses in controls (people, processes, and
technology), and simulating the objectives and actions of an attacker.
Why Is This CIS Control Critical?
Protect
18.5 Perform Periodic Internal
Penetration Tests
N/A
18 - Penetration Testing
A successful defensive posture requires
a comprehensive program of effective
policies and governance, strong technical
defenses, combined with appropriate
action from people. However, it is rarely
perfect. In a complex environment where
technology is constantly evolving and
new attacker tradecraft appears regularly,
enterprises should periodically test their
controls to identify gaps and to assess their
resiliency. This test may be from external
network, internal network, application,
system, or device perspective. It may
include social engineering of users, or
physical access control bypasses.
Identify
Often, penetration tests are performed for
specific purposes:
•
As a “dramatic” demonstration
of an attack, usually to convince
decision-makers of their enterprise’s
weaknesses
•
As a means to test the correct
operation of enterprise defenses
(“verification”)
•
To test that the enterprise has built
the right defenses in the first place
(“validation”)
CONTROL 18
THE SAFEGUARDS
37
1
2
3
4
5
Asset Type Security Function
1= Asset Type
2= Security Function
3= Implentation Group 1
4= Implentation Group 2
5= Implentation Group 3
Did You Know?
As sophisticated as security devices are today, almost 90% of Cyber Attacks are Caused by
Human Error or Behavior. Penetration Testing can help improve the overall security posture
of an organisation. We can simulate common attacks to help you find potential weak points.
