CIS Control v8 Overview- Control 18

Control 18: Penetration Testing: Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.

Why is this Control important?

Organizations utilizing the various CIS Controls put themselves at a significant advantage in safeguards against attacks with policies, technology, and trained staff. However, no defense is perfect, especially in those environments which are complex and/or dynamic.

Penetration tests are performed to identify an organization’s weaknesses, test the correct operation of an organization’s defenses (“verification”), and test that the organization has built the right defenses in the first place (“validation”). The test may be from an external network, internal network, application, system, or device perspective. It may include social engineering of users, or physical access control bypasses.

Penetration testing differs from vulnerability testing which is described in CIS Control 7. Vulnerability testing just checks for the presence of known, insecure enterprise assets, and stops there. Penetration testing goes further and identifies how far an attacker could get and what they would exploit.

And its Safeguards?

This Control has five (5) Safeguards which include:

• establishing and maintaining a penetration testing program,
• performing periodic external penetration tests,
• remediating penetration test findings,
• validating security measures, and
• performing periodic internal penetration tests.

How is this Control implemented?

Penetration tests are expensive, complex, and potentially introduce their own risks. They should only be performed by experienced people from a reputable vendor or trained internal staff. Risks include the unexpected shutdown of systems and potential exploits that might delete or corrupt data.

Organizations should define a clear scope and rules of engagement for penetration testing. The scope should include enterprise assets with the highest valued information and production processing functionality. Lower-value systems may also be tested to see if they can be used as launching points to compromise higher-value targets.

The rules of engagement for penetration tests should detail the days/time for testing, the test duration, and the overall test approach. Limited people in the organization should be aware of when the penetration test is performed with a primary point of contact designated if problems arise.

Penetration test results detail the steps to break into the organization, what assets are vulnerable. and the business risks involved. Due to the risk if this information fell into the wrong hands, test results should be protected.

Key Reminder(s)

Penetration testing should be a key part of an organization’s security program to indicate vulnerabilities to be corrected before attackers find them. However, due to the potential impact on systems and the required confidentiality of test results, care should be taken to have testing performed by experienced testing resources.

If you enjoyed this post, please 𝙇𝙞𝙠𝙚 and 𝙎𝙝𝙖𝙧𝙚!

Contact Temples Consulting (a CIS SecureSuite Partner) to schedule a no-cost consultation for Email and Web Browser Protections using the latest CIS Benchmarks.

#cybersecurity #security #infosec #informationsecurity #riskmanagement #ciscontrols #cissecuresuite #safeguards #ciscontrolsv8 #templesconsultinggroup #security #clarity #delivery #riskassessment #riskremediation #risk2remediation #software #cyber #governance #GRC #implementations #dataprotection #datasecurity #phishing #vishing #smishing