Annual Pen Testing vs Continuous Monitoring

What is Penetration Testing?

Penetration testing (pen testing) is an authorised scan and verification function by qualified people which, in some cases, use simulated cyber attack techniques – exposing any flaws, vulnerabilities and risks. This allows organisations to evaluate the security of their systems and improve them.

This testing could be internally or externally. The ‘attackers’ who are working for you, will identify and test vulnerabilities that criminals could exploit without causing damage. Most likely they will use the same tools, techniques and exploits that those malicious intent would as well. It is a good test to see how robust and secure your systems are.

The UK National Cyber Security Centre (NCSC) describes pen testing as: “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.”

The NCSC also advice that pen testing should be a viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes but not as a primary method for identifying vulnerabilities. This is a good point, if you have robust patching and security reviews of your systems, the likelihood of a serious vulnerability is lessened. 

For more information from the NCSC on the types of pen testing click here 

Why is pen testing so important?

Testing is important as new Cyber Security vulnerabilities are being identified and exploited by criminals all the timeWith cyber-attacks, and more importantly ransomware, becoming more frequent it is important to undertake regular vulnerability scans and testing to identify weaknesses and ensure the security systems in place are working.  

How often should a pen test be done?

Pen testing should be performed regularly (at least once a year) although that should not stop a more regular testing methodology. Particularly if there is a big change that has been made, say, deployment of a new infrastructure component or major changes upgrading or replacing a solution.

So, it is recommended that pen tests are performed annually but is that enough?

That really depends on your circumstances. In an ideal world you would have continuous checking and monitoringhowever that is often not possible nor cost effective for smaller organisations. The trick is to get a balance, test as often as you can so you can fix things before you get any problems. 

What happens if an attacker identifies, and exploits vulnerabilities in between those annual pen tests?

It’s not said often enough, you can only mitigate as much as you can, there are always risks you have to accept and mitigate where you can to prevent ‘bad actors’ from running amok. You also have to balance use of your systems with the security requirements. No point in making a system so secure people can’t get in to it!  

At the end of a test your supplier should provide you with a list of issues and risks that have been found and you need to resolve. Those worth their salt will give you advise on how to do it as well, or at least point you in the right direction. 

That list isn’t just for review and to say “look we did it” – it’s very important that you take their advice and act on making those changes to stop that from happening. To put it another way, your engine management light is telling you something is wrong – you won’t drive around for a year before your next service, would you? 

Continuous monitoring and regularly scanning for, and resolving, security issues is extremely important and provides organisations with the knowledge of their security throughout the year, in-between annual tests to protect themselves from cyber-attacks. 

According to the Cyber Security Breaches Survey 2021 four in ten businesses report having cyber security breaches or attacks in the last 12 months.

Many organisations are still only using annual pen testing as their single line of defence; however, we hope to contribute to the awareness of the need for continuous monitoring solutions.  

Nine23 Cyber Security Solutions are all subject to external annual penetration testing and continuous monitoring. We believe it is important to have both solutions in place to ensure the most efficient and effective ways of discovering and resolving security vulnerabilities in our infrastructures.

You are a cyber security company so why do you have external testing? 

Quite simply, we do not think it is good practise to ‘mark our own homework‘. Nine23 use a trusted 3rd party CHECK accredited organisation with regular internal reviews alongside this.

We have external scans of our infrastructures, server and client operating systems and configurations – For example, making sure malware does not easily get passed our controls or there are no serious risks we should look to mitigate.  

However, in-between tests we regularly review what’s happening internally along with monthly patching, firmware updates and much more. It is part of our ethos of continual improvement and monitoring. Changes happen much more frequently than once a year, so you could potentially leave items at risk if you only rely on a single pen test per annum.  

With continuous or regular monitoring, you can identify potential risks and resolve issues sooner rather than later.   

Leave a comment