Tuesday, May 08, 2012

360is Guide to Understanding, Commissioning, & Maximising Value from Penetration Testing or Security Assessments


Clients often contact us while weighing up the value of getting a Security Assessment or Penetration Test. Whether it's a recent breach, compliance obligation, the regulator, or auditors that trigger the inquiry, we find ourselves repeating similar advice during those initial conversations. Their questions may be familiar to you;
  • What exactly is a Penetration Test?
  • Is it any different from a “scan” or a “vulnerability assessment”?
  • What will it really do for us?
  • What do we do with the results?
  • How do I evaluate different companies offering this service?
  • Why can’t I get a consistent budgetary cost from the market?
We've recorded the answers to these questions and more in one place, using consistent language,  in a way that can be understood by both IT and non-IT professionals alike. Whether you are a systems administrator, or a CSO (more likely in the UK, IT Director/Manager) you will be able to use this guide to reduce the time taken to protect your assets, meet your business needs, and keep the customer/auditor/regulator/boss happy.
Aren’t there already countless guides, papers, and articles on Penetration Testing and security? Certainly. However, most of them are years old, focused on (or written from) a non-UK perspective, or are difficult for non-technical readers to understand. Our guide is different.
  • UK & European perspective: While you can find an abundance of articles discussing Penetration Testing within the context of HIPAA, SOX, and FISMA, scarcely a nod is given to UK and European regulations and standards. Hackers may not respect geography, but your organisation still has to.
  • Up to date: While technical details of vulnerabilities have changed, sysadmins, programmers, and engineers are still making many of the same mistakes now as when we did our first assessment in the mid 90s. However, language changes, an organisation’s view of IT changes, as do end-user working practices. This document reflects that, taking a contemporary view of the subject.
  • Non-technical: Couched in ordinary terms the business can understand, this guide avoids much of the technical jargon that makes other articles heavy-reading for those whom IT security is not their full time occupation. While the skills employed may be highly technical, we can’t lose sight of the business problems being solved.
We hope this guide will help many of our clients and future clients get the most from a Security Assessment/Penetration test (whether provided by 360is, our contemporaries, or your own IT security team):

Penetration Testing Guide, Part 1.
An Introduction to Penetration Testing. [PDF]
Penetration Testing Guide, Part 2.
Selecting A Penetration Testing Company. [PDF]
Penetration Testing Guide, Part 3.
Maximising Value From A Penetration Test. [PDF]
The Consolidated Penetration Testing Guide.
Parts 1,2, and 3 all in one document. [PDF]
Parts 1,2, and 3, text only, academic, no commentary. [PDF]

There will always be something missing from such a document; specific relevance to your particular situation. Get in touch to complete the picture. 360is is a company where you can talk to a client account manager who can get a consultant on the phone, without prior arrangement and without running the meter. Contact Us.

 Update 24-05-2012

For further information on 360is Penetration Testing Services, bookmark our Penetration Testing Homepage.


Pippa said...

I'm interested that you mentioned the importance of geographical location, even in this global industry. With the vast majority of security information and compliance coming out of the US, I sometimes wonder how in the dark we really are over in Europe?
I'd love to hear your thoughts...
[CS magazine have just released a 2-minute survey gathering opinions on this very topic: https://www.surveymonkey.com/s/informationsecurityineurope]

Nick said...

Hi Pippa, by far what concerns us most at 360is and many of our clients, is the potential for theft of intellectual-property from UK and European companies. As you may know, a UK headquartered company is less likely to have senior IT representation at board level than in the USA. UK IT managers/directors (note no "C" status in most cases) often report up through finance, or facilities! This means that UK boards are less well informed of the threats and their nature than in the US.

Of course ex post facto things are different, IT security is the priority and hang the cost.

Penetration testing is often misunderstood by clients and sometimes misrepresented by practitioners. Our article attempts to brief the client on their side of the deal, because without such collaboration the exercise will not improve their security outcomes.

Anonymous said...

A good guide but do you have a penetration testing guide template or list of things to include in a report?

Nick said...

Anon, on the penetration testing guide sample report front, yes we do have something in the works. We will update the blog entry when it is published!