The Importance of Penetration Testing in ISO 27001 Compliance
By Will Young, Zaviant, and Sue Pellegrino, Everest Discovery
Penetration testing is an important component of any organization’s security program. For those working toward ISO 27001 compliance, it can be a logical way to fulfill controls such as Annex 13.1, Annex 9 and A 12.6.1, among many others. You may have a patch policy that states all systems are patched every 30 days, but unfortunately, policies often don’t line up with reality. A penetration test can help you evaluate the efficacy of such programs and ensure they are performing as documented while helping you on your way to your ISO 27001 compliance goals.
“But I read online that penetration testing isn’t a requirement for ISO 27001.”
You read correctly. For basic networks and systems, you may be able to fulfill this requirement with a vulnerability assessment—a point-in-time automated vulnerability scan of the environment. However, automated scanners lack human intelligence and are not effective at identifying more complex issues related to application logic, access controls, permissions and human behavior. This is especially true if your organization’s environment is large, complex or hosts custom-coded mobile or web applications.
What Is Penetration Testing?
Often referred to less formally as “pen testing,” this assessment goes beyond surface-level scanning by having an assessor take on the perspective of a malicious attacker trying to break into your environment. This testing can be performed against a variety of different infrastructures and from different perspectives and starting points. Penetration testing is an objective-based assessment focused on identifying ways an attacker could compromise an environment and what types of damage could occur if this happens.
While penetration testing is not a requirement of being ISO 27001:2013 certified, many organizations, like Everest, choose to perform the necessary testing to maintain a secure and healthy infrastructure and stay vigilant against threats.
- White Box – Test is performed with the assessor having some knowledge of what is being assessed or being granted some level of initial access. This is often done to save time and to perform focused testing.
- Black Box – Test is performed with the assessor having zero knowledge or no level of initial access. This is the most realistic, but also the most time-intensive scenario.
- Gray Box – Test is performed with the assessor having a small amount of initial knowledge or initial access. This is the most common perspective and provides a healthy balance of both white and black box testing.
Penetration Test Types
While there are a number of different types of penetration tests that assess different infrastructures, we are only going to cover some of the common ones here.
- External Penetration Test – Performed from the perspective of an internet-based attacker. This assesses a client’s internet-facing infrastructure.
- Internal Penetration Test – Performed from the perspective of an attacker with access to the organization’s internal network via a simulated asset compromise or rogue device connected to the network. This assesses a client’s internal network and connected infrastructure.
- Web Application Penetration Test – Targeted assessment performed against a web application and underlying web server. This can be performed from authenticated and unauthenticated perspectives.
- Wireless Penetration Test – Performed from the perspective of an attacker within range of a wireless network(s). This may test both the wireless network and associated wireless clients who use the network. It can be performed from authenticated or unauthenticated perspectives.
- Mobile Application Penetration Test – Similar to the web application penetration test, this is a targeted assessment performed against a mobile application and underlying back-end infrastructure. This can be performed from an authenticated and unauthenticated perspective.
Advantages of Penetration Testing
Having an outside entity assess your infrastructure is somewhat similar to asking a friend to proofread a paper you wrote. We are often blind to our own mistakes, and it isn’t until someone else takes a look and points out an issue that we realize we are not perfect. Penetration tests bring in an expert who can think like a real malicious actor and assess your environment from a fresh perspective. Some of the key benefits are:
- To uncover exploitable issues before they become a security incident.
- To validate the efficacy of existing patch management, configuration or other security policies.
- To obtain outsider input on the security architecture of the environment.
- To get strategic recommendations for improving security.
If you are looking for a partner to evaluate the health of your cybersecurity posture and assist in your organization maturing in areas of cybersecurity and risk management, Zaviant can help. They were instrumental in developing a plan for Everest, and despite an ISO 27001:2013 certification, the company continues to do pen testing to maintain its security and infrastructure health.