Читать книгу CompTIA Pentest+ Certification For Dummies - Glen E. Clarke - Страница 14
Reasons for a pentest
ОглавлениеWhy would a company conduct a penetration test? The purpose of a penetration test is to obtain a real-world picture of the effectiveness of the security controls put in place to protect the company’s assets. Instead of taking the word of the security team that configured the security of the environment, you can put the security to the test by having someone take the steps a hacker would take and see if the security holds up. In performing such a test, the pentester can also obtain a list of steps the company could take to prevent real attacks from being successful.
Another reason to perform penetration testing is to be in compliance with regulations. Depending on the industry a company services, organizations may be governed by regulations that require penetration testing to be performed on a regular basis to ensure the security of the organization. For example, companies that collect and store sensitive payment card information are governed by the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS has strict requirements for activities that must be performed to help keep sensitive payment card information secure. Check out “Best Practices for Maintaining PCI DSS Compliance” and “Penetration Testing Guidance” at www.pcisecuritystandards.org to learn more about PCI DSS compliance requirements.
Table 1-1 summarizes two key requirements from the best practices document published by the PCI Security Standards Council. These requirements specify that organizations must perform an annual penetration test and implement any remediation actions identified by the test. Organizations must also perform a network segmentation penetration test every six months to maintain compliance.
TABLE 1-1 PCI DSS Best Practices Requirements
| Requirement | Title | Description |
|---|---|---|
| 11.3 | Penetration testing | Perform annual penetration testing against preordinated use cases/attack scenarios and perform remediation actions to address any identified vulnerabilities |
| 11.3.4.1 | Six-month penetration testing for segmentation | Bi-annual penetration testing conducted for network segmentation controls |
Source: PCI Security Standards Council. Best Practices for Maintaining PCI DSS Compliance. January 2019: pp 46-47. Available at www.pcisecuritystandards.org.
The PCI Security Standards Council’s “Penetration Testing Guidance” document gives more detail on compliance requirements such as the fact that you must also perform a penetration test any time major changes are made to the network infrastructure or to applications within the organization (on top of doing annual penetration testing).
The key point here is that compliance requirements could drive the need to perform penetration tests on a regular basis.
For the PenTest+ certification exam, remember the two main reasons to perform a penetration test: (1) to get an accurate picture of the results of an attack, and (2) to be in compliance with industry regulations.
