Cyber security audits require more than penetration tests
29th November 2018
Cyber security service providers will always recommend penetration testing to their new customers. While they are an essential part of a cyber security audit process, penetration tests are often misunderstood both by those who buy them and sometimes by those who deliver them.
Why are cyber security audits so important?
Cyber security assessment provides an independent and in-depth review of the ability of an organisation to protect its information assets from the impact of cyber threats. One of the basic principles of effective cyber security management is the use of ‘before, during and after’ security assessments or audits.
Just checking the PDA cycle
An initial assessment identifies the current ‘baseline’ or cyber security posture of an organisation. Cyber risks are identified, and security measures (controls) are applied to mitigate the risks consistent with the objectives of the business. Subsequent assessments are performed at intervals to ensure that the security measures used are performing as required. This PDCA cycle (Plan, Do, Check, Act) is at the heart of the best practice as recommended by ISO 27001, the international standard for information security management.
People, processes and technology
A comprehensive cyber security audit involves the evaluation of the people, processes and technology involved in an IT system. Inspection of such complex frameworks requires the use of many different types of test. These range from a review of staff procedures to a full technical assessment using vulnerability assessment and penetration testing.
What is a penetration test?
A penetration test evaluates the ability of a computer, network or software application to withstand a cyber attack. It uses a series of automated and manual processes to discover the security weaknesses in an IT network, web site or application. Performed with the permission of the system owner, penetration testing identifies security vulnerabilities which are then exploited to demonstrate how they can be used to facilitate a cyber attack. Measures and controls to prevent or mitigate the impact of an attack are recommended for each significant vulnerability.
What is a vulnerability assessment (VA)?
A vulnerability assessment involves the use of software tools that automatically scan computers, networks, web sites and software applications for security weaknesses. Commercial vulnerability scanner software includes Nessus, Metasploit and Acunetix.
A vulnerability assessment is not the same thing as a penetration test. Vulnerability scans are performed at the start of every penetration test to quickly provide a comprehensive list of all known insecure network configurations and vulnerabilities.
Don’t just test the technology
Penetration tests and vulnerability assessment are used to evaluate the technology of cyber security measures employed by an organisation. They do not measure how effective the management and staff (‘the people’) are in their use of the technology or indeed their awareness of a current or future cyber attack. Hackers have always used social engineering to trick computer users into helping them infect an IT system with malicious software. This is most clearly demonstrated by the continued use of highly effective email phishing attacks. It is estimated that up to 75% of all global cyber attacks will involve email. All organisations must ensure they train their staff to recognise and report suspicious phishing emails.
Test people and technology
To fully evaluate the security posture of a company, we always recommend that our clients test the knowledge and skills of their people AND the effectiveness of their technical cyber security measures. We also recommend that they use industry-standard criteria to provide quantitative and comparative audit reports. Consistent and reliable cyber security benchmarking provides comparative data which adds to the overall risk management of the organisation.
As a specialist cyber security service provider, Wizard Cyber is dedicated to delivering effective cyber security audits for professional services firms. Our experienced testing team use a quantitative approach based on a structured cyber security review (CSR) and the penetration testing of IT networks, wireless access and web applications.