Penetration testing, also known as pen-testing, makes it easy to uncover exploitable vulnerabilities and other flaws in your network security. But with new threats emerging on a daily basis, some are left wondering: is penetration testing compulsory for my business? If so, what are the requirements for maintaining compliance? For some compliance frameworks, such as the PCI DSS, pen-testing is required. For others, it’s strongly advised.
When is Pen-Testing Required?
Penetration testing is not normally an explicitly stipulated requirement for most organizations. Therefore, it’s often not compulsory in its own right. However, performing pen-testing will help you meet many of the cybersecurity assessment obligations that most compliance frameworks require. Furthermore, the simulated cyberattacks that pen-testing executes are a crucial vulnerability detection tool.
Determining whether pen-testing is compulsory for your organization—explicitly or as a means to meet compliance obligations—requires understanding:
- Common phases of pen-testing
- Why is penetration testing necessary?
- Is penetration testing mandatory?
- What’s the difference between vulnerability scanning and pen-testing?
Partnering with a cybersecurity expert to perform pen-testing will provide your organization with actionable insight that will help strengthen security architecture and compliance adherence.
Modern penetration testing is a very calculated, formulaic procedure. Professionals generally utilize a step-by-step approach consisting of multiple phases. This helps track progress and keeps everything neatly organized.
The activities performed during a given test may vary, but the Penetration Testing Execution Standard (PTES) and the Open Web Application Security Project (OWASP) outline seven distinct phases. Some of these phases (i.e., preparation and intelligence gathering, vulnerability identification and threat modeling) may be combined during testing. The phases are:
- Preparation and intelligence gathering – This phase officially marks the beginning of a pen-test. Professional testers begin by collecting as much information as possible on your organization, which is done through online searches, public information queries, and, in some cases, social engineering.
- Vulnerability identification and threat modeling – Generally the second phase in modern pen-testing, this is where the tester decides which strategies they’ll take when running mock attacks on your system. This phase lets you see how effective—or ineffective—your current network security truly is.
- Penetration and exploitation – This is when the actual penetration and subsequent testing occur. Professional testers utilize every tool at their disposal when trying to penetrate your system or exploit any identified vulnerabilities, including network-based attacks, wireless network exploitation, and memory-based attacks. In certain cases, the tester might utilize social engineering strategies or physical, brute force attacks against hardware or software systems.
- Risk analysis and post-exploitation – This phase only occurs after the tester has gained access to your system. From here, they’ll determine how deep they can penetrate your network, including any vulnerable assets, databases, or other resources. This step generally represents the brunt of the tester’s work and expertise.
- Reporting and review – Scheduled as the final step, the tester will present their findings during the reporting phase. They’ll also provide recommendations on how you can improve your security framework in the future.
White or Black Box?
One of the decisions your organization and the testers need to make early on is how much architecture and configuration insight will be provided to the latter. Pen-tests are generally divided into three approaches based on provided insight:
- Black box – When testers are provided with little to no information
- White box – When testers are provided with information that average cybercriminals would not know in advance
- Grey box – When testers are provided with some amount of information
Black box tests are the most accurate simulation of a real-world, externally acting cyberattacker. In comparison, a white box approach may give the testers an advantage. Still, it will also generally result in more comprehensive findings and account for the potential actions of any internal threat actors.
Is Penetration Testing Really Necessary?
The answer depends on your industry. With strict regulations like HIPAA in the healthcare sector and PCI-DSS for retailers, pen-testing might be necessary to maintain compliance with modern standards. Many of these compliance frameworks require periodic assessment and scanning. Pen-testing is one of the most insightful methods to meet these types of compliance requirements.
While some organizations and industries aren’t explicitly required to perform them, regular penetration testing is still recommended. It helps uncover potential vulnerabilities and threats before they become much bigger problems.
Is Penetration Testing Compulsory for My Business?
Some industries require regular penetration testing. In cases where penetration testing is necessary, clear testing requirements are provided. If your organization must adhere to or achieve certification for the following, pen-testing may be compulsory (or help meet compulsory requirements):
- SOC 2
- PCI DSS
Service Organization Control 2 (SOC 2)
Created to protect consumer data, Service Organization Control 2, or SOC 2, is often applied to commercial contracts. This is especially true for SaaS (software-as-a-service) vendors and contractors. The American Institute of CPAs (AICPA), which oversees all SOC assessments, relies on the Trust Services Criteria (TSC) for evaluation.
Common Criteria (CC) 4.1 stipulates the need for IT officials to use multiple forms of testing and evaluation to determine whether controls continue functioning properly—including penetration testing specifically as one of the acceptable means.
The SOC 2 requirements don’t explicitly stipulate pen-testing must be performed. However, many IT experts agree that penetration testing is one of the best methods for assessing an organization’s security framework. So, it’s a common cybersecurity process that your organization should strongly consider performing, especially when preparing for any SOC assessment.
Payment Card Industry Data Security Standard (PCI DSS)
Unlike SOC 2, the PCI DSS explicitly requires penetration testing. The PCI DSS was established by the major credit card companies to protect consumer data and prevent fraud. Any organization that collects, stores, processes, or transmits cardholder data is subject to DSS Requirements.
PCI DSS Requirement 11.3 stipulates that organizations must perform:
- Internal and external penetration tests:
- Following major upgrades or modifications
- Pen-testing on network segmentations implemented to reduce PCI DSS compliance scope:
- Annually, if the CHD environment is self-managed
- Every six months for service providers that utilize segmentation.
Also, unlike SOC 2, which tends to use these terms interchangeably, PCI-DSS distinguishes between pen-testing and vulnerability scanning. Both are required to maintain full PCI-DSS compliance.
Health Insurance Portability and Accountability Act (HIPAA)
Despite its prevalence in the healthcare industry, HIPAA doesn’t contain any specific requirements regarding penetration testing. It does, however, require regular risk analysis assessments that include testing each organization’s security controls.
Since the two most popular forms of risk analysis are vulnerability scanning and pen-testing, most organizations opt for the latter for its greater insight. The National Institute of Standards and Technology (NIST) has also issued a recommendation for consistent penetration testing.
Vulnerability Scanning and Penetration Testing: What’s the Difference?
Some standards mention both vulnerability scanning and pen-testing, but they fail to differentiate between the two processes. Unfortunately, this often results in confusion and makes it even more challenging to abide by industry regulations.
Vulnerability scans, sometimes known as vulnerability assessments or analyses, are performed on the surface level. While they’re highly effective in spotting exploitable vulnerabilities, they lack the completeness of full-scale pen-testing. They also tend to report false positives in some instances.
Penetration testing allows the tester to take a deep dive into the foundation of the organization’s security framework. Whereas vulnerability scanning detects issues, pen-testing will actively attempt to exploit them. Since all actions are performed by a human and any threats are verified by IT experts, the chance of a false positive is virtually eliminated.
Protect Your Network With Pen-Testing
The comprehensive breakdown covered here should help organizations answer, “Is penetration testing compulsory for my business?” Put simply, some compliance frameworks may require pen-testing, but every organization should strongly consider it for the cybersecurity insights it provides. Furthermore, some compliance framework requirements can be met by penetration testing, even if it’s not explicitly required as a stated assessment method.