CIS Control 18: Penetration Testing
Penetration testing is as equally important as a vulnerability assessment. The term penetration testing can be defined as a cyber attack simulation to check all the defense mechanisms of the organizations are working properly. As technology is evolving, so are hackers, increasing the chances of vulnerabilities being exploited. In order to defend against this, CIS Control 18: Penetration Testing should be implemented.
According to CIS, there are total of five safeguards, or sub controls provided to support an organization implementing this control:
- Establish and Maintain a Penetration Testing Program
- Perform Periodic External Penetration Tests
- Remediate Penetration Test Findings
- Validate Security Measures
- Perform Periodic Internal Penetration Tests
First thing to do is establishing a penetration testing program. Based on the organization, it should be created according to the size, complexity and the maturity. Penetration testing should include various components of the organization including physical controls, network, servers, etc. Once a program has been established, internal and external tests should be performed, no less than annually. When performing an external penetration test, the organization should search for a validated, qualified party. Once the penetration testing is complete, any vulnerabilities identified should be remediated immediately. Along with remediation, it is important to check and validate the defense mechanisms and make any changes necessary.
Center for Internet Security. “CIS Control 18: Penetration Testing.” CIS, www.cisecurity.org/controls/penetration-testing/.
