Penetration testing is something that more companies and organizations should be considering a necessary expense. I say this because over the years the cost of data breaches and other forms of malicious intrusions and disruptions are getting costlier. Per IBM Security’s “Cost of a Data Breach Report 2021,” the average cost of a breach has increased 10% year over year, with the healthcare sector having the highest cost breaches for 11 consecutive years. One of the most important statistics that stands out from the report is the average number of days to identify and contain a data breach was 287 days or 41 weeks.

To put that into perspective, if it is January 1st 2022, and your organization’s systems are compromised it would not be until October 14th 2022 that the breach is contained. Of course the characteristics of these breaches varied depending on attack vector, sector, and whether or not security compliance systems were in place.

Key Takeaways for Control 18

Penetration testing is an important aspect of discovery and identifying potential critical vulnerabilities within your organizations external network, internal network, applications, or systems. They provide a valuable insight on how your enterprise and human assets perform.

Penetration testing and vulnerability testing are commonly used interchangeably and this is incorrect. Vulnerability testing is checking for the presence of known vulnerabilities, incorrectly configured assets and so on. Vulnerability testing is virtually completely automated with minimal user validation.  Penetration testing actually exploits those weaknesses and tests which business processes or data may be impacted.

Safeguards for Control 18

  1. Establish and Maintain a Penetration Testing Program.

Description: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (Read more...)