In a rapidly evolving world, we encounter new challenges, particularly in the realm of cyber security. To address common inquiries, we have provided a selection of frequently asked questions below. If you don't find the answer you're seeking, please don't hesitate to reach out to us. We are more than happy to help.
A vulnerability assessment identifies if an organisation’s systems/applications have potential known security vulnerabilities. It involves one or more automated vulnerability scans, followed by a prioritised list of the vulnerabilities found, the severity and generic remediation advice. Scanning software is limited to identifying only vulnerabilities it has signatures for (such as out-of-date software updates, incomplete deployment of security software etc.). It cannot consider business logic or find unknown vulnerabilities. Scans include networks, web applications, source code and ASV for PCI DSS.
A penetration test has a much greater potential breadth of scope and depth than a vulnerability assessment. It should only be conducted by certified cybersecurity professionals who use their experience and technical abilities to mimic multiple types of attacks used by a cybercriminal, targeting both known and unknown vulnerabilities. Unlike a vulnerability scan, where identified vulnerabilities are not exploited, in a penetration test, the tester will modify their approach to provide proof of exposure through exploitation to gain access to the security systems or stored sensitive information that a malicious attack could compromise.
There is no standard answer for the time it takes to conduct a penetration test and the size and complexity of the environment (attack surface) to be tested – the scope of the work to be undertaken. An app or small environment can be completed in a few days, but a large, complex environment can take weeks.
A reputable penetration testing provider understands the time constraints that face organisations and will have a process to deliver your penetration testing project efficiently and cost-effectively to provide maximum value.
There is no universal price for a penetration test; if you are presented with a generic price, it should serve as a red flag not to proceed with that provider.
A good quality provider will provide a free consultation to understand your organisation’s aims and objectives and determine a high-level threat model (to understand the full scope of work) before giving a quote.
Penetration testing demonstrates reasonable efforts made to test the integrity of your business infrastructure and applications. It shows your company has protected confidential and sensitive business data from regulators such as ASIC or AUSTRAC.
With new legislation passing in Australia, businesses must demonstrate they have regularly checked their systems are compliant with the industry standards. Checks have been made to ensure no vulnerabilities that attackers can efficiently utilise.
With many providers to choose from, it is essential to do your research to ensure that your chosen penetration testing provider is proven, reliable and professional beyond reproach.
You will rely on them to interrogate your business systems and use complex tools to test your IT network thoroughly.
If the provider lacks knowledge and experience applying their tools to diverse IT environments, you may waste your money and fail to see results. Your IT environment could be damaged, changed or taken down if penetration testing tools are not appropriately configured for your specific environment.
Including regular penetration testing in your ongoing cybersecurity and information security management program is the best approach. After all, the cybersecurity landscape is ever-evolving. Compliance requirements mandate regular penetration testing – for example, PCI DSS compliance requires penetration testing at least annually or during infrastructure and application modifications and upgrades that constitute a significant change to the environment. Often, organisations aim to meet only the minimum requirements to achieve compliance – and believe themselves to be secure. This is a dangerous mindset.
The best practice approach is to work with your provider to conduct an organisation-wide risk assessment to determine your organisation’s level of risk. You can then develop a cybersecurity program that employs an agile approach, using the tools at your IT department’s disposal and your provider’s (such as vulnerability assessments and penetration testing) to measure and evolve the security of your networks, applications and employees to maintain a strong defence against cyber attack.
There is no need for anything special to prepare for a penetration test concerning how security controls are managed daily. Remember that a penetration test is a point in time review of the environment.
The test will assess the security posture at that particular point in time. For example, if patches are deployed every Wednesday, there is no need to change this behaviour to accommodate the penetration test. If the network penetration test results determine this process requires attention, then that would be the appropriate time to adjust.
No. We work with many IT-managed service providers and can recommend a provider that we feel would best suit your needs.