Planning for Penetration Testing
Planning for Penetration Testing
In the last episode, I described the need to test your systems to assess if it has any vulnerability, and then use the report to fix up and patch the crucial areas of importance.
Penetration testing is also referred to as ethical hacking. Though both refer to the same concept, there is a difference between the two. Penetration testing is performed on a specific information system or as a specific objective while ethical hacking has a more broad objective, which includes all other hacking methods, and other activities to combat and mitigate cyber-attack. You can consider penetration testing as a subset of ethical hacking techniques. It suffices to say that an ethical hacker needs to have a more comprehensive knowledge of the hacking methodologies than a penetration tester.
The decision to conduct penetration testing is an indication of the importance of risk management in any organization. It is a good professional practice to document security policies that outlines how penetration testing should be conducted and how it relates to different types of systems, such as servers, wen applications, laptops, desktops, tablets, smartphones, and numerous others.
Penetration testing should not be an ad-hoc activity. There are professional standards and regulatory requirements that must be considered. In the United States, there are regulations such as The Health Insurance Portability and Accountability Act (HIPAA), The Health Information Technology for Economic and Clinical Health Act (HITECH), The Payment Card Industry Data Security Standard (PCI DSS) and many others. In Canada, there is The Personal Information Protection and Electronic Documents Act (PIPEDA). In the European Union, there is The General Data Protection Regulation (GDPR). There are many more regulatory requirements to consider depending on your location. Whatever you do and wherever you reside, it is imperative that you plan for a penetration testing before you embark on it.
The penetration testing executing standards which can be located here, and the council of registered ethical security testing (CREST), which can be located here have very good resources to assist in planning for a penetration testing.