Part of Data Security Standard 9 - IT protection
Penetration testing (9.2.1 - 9.2.2)
Definition
There are a few definitions of what constitutes a penetration test and the difference between penetration testing and vulnerability scanning. The differences are mostly around intent, with vulnerability scanning producing a list of items requiring updating or patching, and penetration testing having a defined goal, for example getting access to a network share or an elevated account.
Many of the tools available on the internet market are completely legitimate, however some can be utilised for less legitimate purposes for example cybercrime. Ensure you have sufficient technical capability before downloading and using any tools.
Consider a penetration test at least annually and vulnerability scanning which should occur more often. A penetration test usually includes a vulnerability scanning element.
Scoping the test
A penetration test should be undertaken (at least annually).
The penetration test must include the following elements:
- all webservers the organisation utilises
- vulnerability scans
- checking that the default password of network components have been changed.
There is an expectation that the penetration test would cover all the organisation’s critical network structure such as server farms.
Commercially sourced, in house or partner
The options for penetration testing are to either to outsource to commercial specialist or if you have the relevant capability and capacity or perform in house partner 'buddy up' with another care organisation and perform each other’s tests.
| Advantages | Disadvantages | |
|---|---|---|
| Commercial | Independent | Cost |
| Commercial | With right supplier more experience and expertise | Lack of knowledge of your network and dependencies |
| Commercial | Reduced burden on existing staff | |
| In house | Cheaper | Requires in house staff to have capabilities and capacity |
| In house | Knowledge of network and dependencies | Lack of segregation of duties |
| In house | Cost of tools and upkeep | |
| In house | Sole responsibility | |
| Health and care partner | Independent | Network knowledge would be general and may not be site specific |
| Health and care partner | Cheaper | Requires both parties to have a similar level of capability and capacity |
| Health and care partner | Understanding dependencies on health and care system |
Selecting a commercial organisation
Although we do not endorse any supplier there are several indicators that may help you decide:
- CREST UK Approved Member Company
- CREST or Tiger Scheme, qualified testers and / or CHECK Team Leaders
- ISO 27001 and / or 9001 certified
- a Digital Marketplace seller (see useful resources)
Active or passive
Penetration testing can have a varying degree of aggression between active and passive (or combinations).
Last edited: 27 September 2022 2:43 pm