In this three-part series, we’ll explore key considerations and strategies for choosing an attack surface analysis strategy, and the ways it can be used to increase awareness of both technical and process-related risks.
This is the second installment in our 2021 series around attack surface analysis. In part one I offered a description and the value and challenge of vulnerability assessment. In this installment I’ll explore a different analysis technique: penetration testing.
To further expand the lexicon we’re building I’ll point to the definition given by NIST for this particular area:
“Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.”
(Source: https://csrc.nist.gov/glossary/term/penetration_testing)
So, why would you want to perform a penetration test? There are a myriad of different reasons to partake in this particular form of analysis, but for the sake of brevity I’ll limit it to five in this post:
Stay compliant. If you’re in a regulated environment and have to follow standards such as PCI or HITRUST, then you’re probably familiar with the requirement to have technical controls which validate the security of your systems. The most common control to validate is (usually)... drumroll please... a penetration test!
Find vulnerabilities. While a vulnerability assessment will help discover issues with exploitable software and possible misconfiguration, a penetration test will go much deeper and ..
Support the originator by clicking the read the rest link below.
