Penetration Tests and Red Team Exercises are one of the Council on CyberSecurity Critical Security Controls. The Council provides the following explanation for why this is a critical control:
Attackers often exploit the gap between good defensive designs and intentions and implementation or maintenance. Examples include: the time window between announcement of a vulnerability, the availability of a vendor patch, and actual installation on every machine; well-intentioned policies which have no enforcement mechanism (especially those intended to restrict risky human actions); failure to apply good configurations and other practices to the entire enterprise, or to machines that come in-and-out of the network; and failure to understand the interaction among multiple defensive tools, or with normal system operations that have security implications.
In addition, successful defense requires a comprehensive program of technical defenses, good policy and governance, and appropriate action by people. In a complex environment where technology is constantly evolving, and new attacker tradecraft appears regularly, organizations should periodically test their defenses to identify gaps and to assess their readiness.
Penetration testing is vital for determining the business risk of an organization and is also a requirement in some industries. For instance, many organizations that process credit card transactions must be in compliance with the PCI Data Security Standard (PCI DSS). The PCI DSS v3.1, Section 11.3 published April 2015 requires organizations, at a minimum, to implement a methodology for penetration testing; perform external penetration testing at least annually; and perform internal penetration testing at least annually.
Penetration testing involves modeling the techniques used by real-world computer attackers to find vulnerabilities, and, under controlled circumstances, to exploit those flaws in a professional, safe manner according to a carefully designed scope and rules of engagement to determine business risk and potential impact, all with the goal of helping the organization improve security practices.
Please contact us for information on our penetration testing services.