#NCSAM Week 5: Protecting our Infrastructure with Pen Testing

Week 5: October 30-31

Theme: Protecting Critical Infrastructure

The theme for the final week of National Cyber Security Awareness Month is protecting critical infrastructure from cyber security threats. This week’s theme raises awareness about the importance of building resilience in your organization’s critical systems.

Everlaw undergoes regular penetration testing (“pen testing”) by an independent third party as part of our security program. This testing is done in an effort to implement the NIST Cybersecurity Framework steps of: Identify, Protect, Detect, Respond, Recover. Pen testing is just one of the many ways an organization can protect its critical infrastructure, and it provides valuable information for addressing and mitigating security risks.

Here are some tips for implementing pen testing in your organization.

Determine the scope of the test

A common scope for pen testing is for an engagement to cover both internal and external network exploitation. This will help identify areas of risk—including specific vulnerabilities—as well as assist with risk quantification to establish a framework for mitigation strategies.

Determine the skill set required for the pen tester

There are several recognized certifications for pen testing, which an organization can consider when engaging a third party. This is not an exhaustive list!

  • GIAC Penetration Tester (GPEN)
  • GIAC Web Application Penetration Tester (GWAPT)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Systems Auditor (CISA)
  • Certified Ethical Hacker (CEH)

Determine and agree on the testing methodology and rules of engagement

The chosen methodology will be unique to the agreed-upon scope for the test. The primary objective is to clearly and effectively communicate with your organization to enable comprehensive testing relevant to the chosen environment. It is helpful to have a project kick-off meeting to provide an overview of how the process will work, set expectations, and understand the remote and local assessment methods. Most pen tests occur over three phases by the tester:

  • Identification of targets/systems;
  • Identify potential vulnerabilities; and
  • Attempt to exploit identified vulnerabilities.

The final, and most important, step is to review the results of the pen test with your security team and act on any vulnerabilities uncovered during the test.

Thank you for celebrating NCSAM with Everlaw this year!