COVID-19: remote delivery options
We would like to reassure our clients that all training and consultancy services will go ahead as scheduled during the COVID-19 situation. As a company that fully embraces flexible and remote working, we have adjusted our delivery methods to allow us to provide consultancy services, vulnerability scans and penetration tests, and training remotely where necessary. Please also refer to our COVID-19 policy.
Which level of test do you need?
The below table provides a comparison of the different levels of tests available to assess and exploit potential vulnerabilities on your networks and systems. Any combinations of the below tests are available, depending on client requirements. The scope of each test is established and agreed based on detailed consultation with our clients.
In most cases, IT Governance’s CREST-approved penetration testing team recommend a Level 1 Penetration Test that will identify exploitable vulnerabilities before they can be uncovered by an indiscriminate cyber attack.
Penetration testing levels
At IT Governance, we offer two levels of penetration test to meet your specific budget and technical requirements:
Level 1 penetration test
For the majority of organisations, a level 1 penetration test will be appropriate to help mitigate the threat of the opportunist attacker who is looking for easy targets by exploiting known vulnerabilities.
This test involves manual assessments with automated scans to assess the true extent of the vulnerabilities affecting your applications, systems or networks. By combining a level 1 test with regular vulnerability scanning, you can prioritise the resolution of identified issues and establish a comprehensive assessment of your risks from external threats.
A level 1 penetration test requires minimal scoping and can be performed quickly and cost effectively, providing a good overview of your security posture if performed at regular intervals.
Level 2 penetration test
A level 2 penetration test is appropriate for organisations that may be specifically targeted by attackers, perhaps because of the information they hold or the nature of their business.
This level of test involves a painstakingly detailed process of identifying security holes and vulnerabilities in your hardware (including printers, fax machines and workstations) and software, systems or web applications and then trying to exploit them.
The extent of a level 2 penetration test means it takes time to perform and is usually only recommended to clients that require a complex cyber attack simulation.attack simulation.
An approach for determining your testing requirements
You should consider the following before embarking on any penetration test or vulnerability assessment project:
-
Evaluate drivers for penetration tests
Determine your goals based on an evaluation of relevant criteria, such as the impact of serious incidents, increased threat levels, or significant changes to business or IT processes.
If your goal is to become PCI compliant, or to protect other specific data, you will need to work out the scope of that data environment and ensure it is segmented. If, on the other hand, you are responding to a breach at another or similar organisation, try to understand what form the attack took and the underlying motivation.
By understanding the motives and techniques of attackers, you can focus on building effective defences.
-
Identify target environments
Your penetration testing programme should identify the target environments that need to be penetration tested.
Ask yourself what your most valuable assets are. It may be your intellectual property, important business applications, key IT infrastructure, confidential data or simply your reputation.
Understanding what you need to protect – its value to you, its value to an attacker, and the impact of a loss in terms of operational, financial and reputational damage – will help you to determine an appropriate level of expenditure on protection.
-
Prioritise your efforts
Now you are ready to build a penetration testing programme that will prioritise protecting your most valuable assets from your biggest threats. By combining frequent low-level vulnerability scanning with regular level 1 penetration tests of your estate and level 2 testing of your critical systems and assets, you can maximise the value of testing in the most efficient way.