book

Penetration Testing

by James Hayes, Nick Furneaux, Jims Marchang, Rob Ellis, Jason Charalambous, Moinuddin Zaki, Peter Taylor, Roderick Douglas, Felix Ryan, Ceri Charlton, Gemma Moore, Tylor Robinson, Sharif Gardner

September 2019

Intermediate to advanced

150 pages

6h 1m

English

BCS, The Chartered Institute for IT

Read now

Unlock full access

How does this affect my organisation?Why carry out a penetration test?Penetration tests won’t always stop you being hackedStaying current with emerging risksWhy all managers should be interested in security…Impact on the organisation of not penetration testingSummaryReferences
Understanding what penetration testing will achieveDelivering maximum value from penetration testingPenetration testing as part of a holistic information security programmeRisk assessments and relevance to live-system lifecyclesSummaryReferences
Governance and regulatory compliance overviewRegulatory and legal preparatory considerationsSectors and compliance standardsSummaryReferences
Adding penetration testing to an existing enterprise information security strategyPreparation and planningAlignment of policies and procedures with the changing nature of threatsAwareness raising and notificationOther factors for considerationSummary
How penetration test programmes should be informed by defined outcomesThreat intelligence-led penetration testingNext steps?SummaryReference
Defining the scope of penetration testsMapping of assetsSummaryReferences
Penetration test coverage and structureSimulating the threatSummaryReferences
In-house penetration testing compared with third-party penetration testingHybrid approachesSummaryReferences
An overview of the penetration testing service provider marketTest provider capabilitiesWorking relationships with testersReview and ‘rotation’ of test providersTest consentsCommercial and technical relationshipsUnderstanding and using test resultsSummaryReferences
ContextAssessing the most appropriate penetration testing tools and techniques for the programmeSummaryReferences
What is meant by ‘best practice’ and ‘good practice’?Building on the tester’s experiencePenetration testing methodologiesDocumentation before, during and after a penetration testPenetration tester travel and being away from homeTest teams versus individual testersThe client being involved in the testHealth and safetySummaryReference
Purpose of reportingDistributing report content to the relevant audienceCoverage of reportingSummary
On debriefsInterpreting reports and circulating key findingsIntegrating reporting into bug trackers, ticket managers and management toolsUnderstanding the full implications of vulnerabilitiesSummary
Interpreting resultsEstablishing a structured remediation planPenetration test timingsSummary

Content preview from Penetration Testing

4 EMBEDDING PENETRATION TESTING WITHIN ORGANISATIONAL SECURITY POLICIES AND PROCEDURES

Ceri Charlton

An important part of the strategy of utilising penetration tests is identifying when they are to be used. This chapter discusses the way in which the activities relating to penetration testing can be built into the Information Security Management System (ISMS) of an organisation and the broader risk management framework. This chapter aims to explore some of the drivers, approaches and obstacles to embedding penetration testing (however it may be conducted) within an organisation.

ADDING PENETRATION TESTING TO AN EXISTING ENTERPRISE INFORMATION SECURITY STRATEGY

Increasingly, regardless of any additional industry-specific or regulatory requirements, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial