Libby Bevin

Have you ever been asked difficult questions from your leadership teams that you couldn’t answer? How do you intelligently and succinctly respond to the following questions and have the supporting data to back up your metrics and business outcomes?

• Are we secure?
• When was our last security incident, how did we respond and will it happen again?
• Are our critical assets and data protected? If not, what will it take to add protective measures?
• We’re still compliant with all of our regulatory requirements, right?

Regardless of your role in compliance, risk management or information security, these questions can potentially trigger a mild case of anxiety or even a full on panic attack, depending on your organization’s level of control maturity. The way I see it, we have three choices:

1. We can avoid questions like these all together by cowering under our desks or running the other way down the hall (virtual or physical hallway, that is)
   1. For all remote workforce members, please note that the mute button and webcam cover only hide you for about 5-10 seconds, tops, not that I’m speaking from personal experience, of course
2. Piece together a response from a multitude of spreadsheets, meetings, emails, disparate SIEM tool reporting and vulnerability scanning data
3. Face the questions with confidence and ease, armed with accurate supporting data and using minimal effort.

Obviously, option #3 is ideal and option #1 is not really an option, so we don’t recommend you try it! All joking aside, wouldn’t it be much more effective not only to have the answers to the tough questions, but also to automate the process of getting to those answers?

What if we took a more proactive approach instead of simply reacting and responding to emerging threats and incidents?

ISO 27001, published by the International Organization for Standardization (ISO), is a set of standards to govern cybersecurity and information security management systems (ISMS) within your business and among your third parties. Being certified as ISO 27001-compliant requires a thorough analysis and testing of your IT systems’ functionality and capabilities.

One requirement of ISO 27001 – specifically, control A.12.6.1 of Annex A of ISO/IEC 27001:2013 – requires that an organization prevent potential vulnerabilities from being exploited; that means (among other things) running penetration tests on your network to see how well your defenses do or don’t work. Below, we address some frequently asked questions regarding ISO 27001 related to penetration testing.

What Is ISO 27001 and Why Is it Important?

ISO 27001 is formally known as ISO/IEC 27001: Information Technology, Security Techniques, Information Security Management Systems Requirements.

Published by the International Organization for Standardization (ISO), in collaboration with the International Electrotechnical Commission, ISO 27001 is a top international standard for information security (IEC). It offers a path to help enterprises of any size or sector protect their information, both methodically and affordably.

Not only does the standard give businesses the knowledge they need to protect their most precious data. A business that certifies its compliance with ISO 27001 is demonstrating to potential clients and business partners that it is committed to securing its data. (Individuals can show their qualifications to future employers by becoming ISO 27001-certified by completing a course, exam, and certification audit.)

The benefits of ISO 27001 are far-reaching. It is an international standard and widely accepted, which expands the commercial potential for businesses and individuals. You need to renew your ISO 27001 certification every three years, showing stakeholders and interested parties that you have robust management systems standards.

Does ISO 27001 Require Penetration Testing?

The short answer is both yes and no. For systems with standard functionality and common architectures, you may be able to fulfill this requirement with only a vulnerability assessment or analysis. For more complex systems such as custom web applications, however, penetration testing will be required to assure your security posture is sufficient for data protection and guarding against cyberattacks.

Standard scanning tools (even those specifically designed for web applications) may be ineffective at identifying vulnerabilities such as broken access controls, business logic abuse, impersonation attacks, or other non-standard, functionality-specific vulnerabilities. So under numerous circumstances, penetration testing is necessary to verify all information security aspects.

What Is Penetration Testing?

Penetration testing is a critical risk management tactic alongside vulnerability scanning and security testing. “Pen testing” simulates malicious attacks and data breaches through ethical hacking to determine whether your incident response and information security controls are adequate, functioning correctly, and able to withstand a cyberattack.

During the pen test, information security policy experts exploit security vulnerabilities in a simulated environment so that you can remediate them through improved security measures (typically through a combination of tools and a business continuity management).

What Are the Types of Penetration Testing?

Given that engagements vary in emphasis, depth, and duration, it’s critical to be aware of the different types of penetration testing before choosing to implement them into your risk management process. The following are typical ethical hacking projects:

Internal and External Infrastructure Testing for Vulnerabilities

A thorough review must be conducted of the network infrastructure, including routers, switches, and system hosts, both on-premises and in the cloud.

You may implement internal penetration tests concentrating on resources inside the business network and external penetration tests focusing on infrastructure accessible over the internet. You must know the number of sites, network subnet size, and internal and external IP addresses to scope a test accurately.

Testing for Wireless Penetration

Wireless penetration tests target WLAN (Wireless Local Area Networks) in businesses and Bluetooth, ZigBee, and Z-Wave wireless protocols. These aid in locating malicious access points, encryption flaws, and Wi-Fi Protected Access (WPA) vulnerabilities.

The number of wireless and guest networks, locations, and distinct service set identifiers (SSID) must be evaluated to scope an engagement.

Testing Web Applications

Web application testing examines websites and bespoke web applications to find code, design, and development errors that could be maliciously exploited. Determine the number of applications that require testing and the number of static pages, dynamic pages, and input fields that need to be evaluated before implementing test procedures.

Testing Mobile Applications

Testing mobile apps on different operating systems, such as iOS and Android, help find problems with session handling, data leaking, authentication, and authorization. Testers need to know the operating system types and versions and the number of application programming interface (API) calls. In addition, the jailbreaking and root detection specifications are necessary to scope a test.

Review of Build and Configuration

A review of network builds and settings is necessary to find misconfiguration errors in web and app servers, routers, and firewalls. To properly scope this engagement, it is essential to know how many builds, operating systems, and application servers are going to be examined.

Social Engineering

Evaluate your employees’ capacity to recognize and respond to email phishing attempts. Using targeted phishing, spear phishing, and business email compromise (BEC) attacks, gain detailed information about the potential threats.

White Box Testing

White-box penetration testing (sometimes also known as crystal or oblique box pen testing) gives the tester advanced knowledge of how the network operates, so he or she can test systems more directly. The tester typically has all network and system details, including network maps and passwords, to save time and lower the total engagement cost. In addition, a white box penetration test helps simulate a targeted assault by using as many attack paths as feasible on a particular system.

Black Box Testing

In a black-box penetration test, the tester receives no information; instead, the tester mimics an unprivileged attacker’s strategy from initial access and execution until exploitation. This is the most realistic scenario, since it shows how an opponent without inside information would target and compromise an organization. It is also the most time-consuming and costly method.

Gray Box Testing

Only a small amount of information (typically login information) is disclosed to the tester for a gray-box test, also called a transparent box test. Gray box testing determines the degree of access and potential harm a privileged person may have to mimic an insider threat or an assault that has infiltrated the network perimeter. Gray-box tests find a balance between depth and efficiency.

What Are the ISO 27001 Penetration Testing Requirements?

ISO controls set of Annex A (specifically, A.12.6.1, of ISO 27001:2013) states: “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.”

Penetration testing satisfies these requirements by providing a gap analysis via a simulated malicious attack. It should be conducted by certified professionals who offer penetration testing services. Nonconformity findings provide the basis for corrective actions to improve your existing information security standards.

How Does Penetration Testing Work?

You will develop a scope with your pen tester that covers your security objectives, testing plans, and any regulatory or contractual requirements for your business.

Testing may include external tests to detect IP address issues, web application vulnerabilities, and more. It may also include internal testing measures that analyze your network devices and operating systems and detect internal vulnerabilities, such as weak passwords, outdated software, poorly coded websites, and insecure applications.

Once testing is complete, the tester and client company conduct a post-mortem analysis by reviewing documented vulnerabilities and details, and assessing the severity of potential threats. You can then consider your pen tester’s recommendations and chart a path for corrective actions to drive continual improvement.

Penetration testing can be broken down into five stages:

Preparation and Research

The first stage is establishing the scope and objectives of a test, along with the systems to be tested and the testing techniques to be applied.

It collects information (such as network and domain names, mail servers, and so forth) to learn more about a target’s operations and potential weaknesses.

Scanning

The next step is to know how the target application will react to different intrusion attempts. Usually, this is accomplished using:

• Static analysis. Analyze the source code of a program to predict how it will function when executed. These tools can scan the entire code in a single pass.
• Dynamic analysis. Examine the code of a running application. This scanning is more helpful since it gives a real-time picture of an application’s functionality.

Obtain Entry

This step involves identifying a target’s weaknesses via web application assaults such as cross-site scripting, SQL injection, and backdoors. To understand the harm these vulnerabilities may do, testers attempt to exploit them, often by elevating their privileges, stealing data, and intercepting communications.

Maintaining Access

This stage’s aim is to determine whether the flaw can be used to establish a persistent presence in the exploited system – long enough for a malicious actor to obtain in-depth access. To steal the most sensitive data from a company, sophisticated continuous attacks are imitated; some may stay in your system for months.

Review

The penetration test findings are then put into a report with the following information:

• Certain flaws that were exploited
• Ability to access to private information
• Technical risk briefing
• Advice for corrective actions
• Strategic recommendations

What Are the Benefits of Penetration Testing?

Penetration testing is essential for various reasons, well beyond simply following compliance obligations. Look at these four advantages that penetration testing may provide for you.

Manage Vulnerabilities Wisely

To make sense of data security, penetration tests often happen in conjunction with a vulnerability scan. This allows your business to prioritize the top security issues and better coordinate your security policies. In addition, the data you obtain from the pen test will allow you to deploy security resources more wisely, prioritize remediation, and install required security fixes.

With this information, you can more skillfully address any vulnerabilities that may be present and address those that may cause more severe issues. Knowing this and using it to your advantage can help close the security gap between your company and malicious actors, giving you greater control over your security posture.

Save Money by Avoiding Network Outages

System breaches can cause all manner of unexpected and unwanted costs: remediation costs, legal costs from regulatory investigations, possible monetary penalties from regulators; plus lost revenue from systems being off-line or would-be customers deciding not to do business with an organization that has poor cybersecurity.

Penetration testing helps companies avoid those headaches by helping you answer questions such as:

• How much harm was caused?
• How long will it take to correct the situation and ensure that enemies haven’t advanced via your network?
• What impact will this have on the business’s operations? It could be challenging to swiftly fix the problem and protect your business so everything can start working again.

Observe Regulations and Stay Out of Trouble

Penetration testing is one of many tools to help maintain compliance with various regulations and frameworks. You may avoid paying potentially steep fines by conducting penetration tests on your systems. And while you are saving yourself from fines, it is still advisable to go beyond “check the box compliance” to protect your firm and promote growth.

Maintain the Goodwill of Your Customers and the Reputation of Your Business

No business wants unflattering media headlines about a data breach. Protecting your data and avoiding data breaches are imperative to protect the reputation of your business and maintain customer goodwill.

Active security policies and testing demonstrate that you care about the security of the individuals you work with and speak loudly to stakeholders. It also creates a culture of cyber-hygiene and accountability among employees.

How Frequently Should You Do ISO 27001 Penetration Testing?

Penetration testing is a critical element for any ISO 27001-compliant IT system, so testing should be done throughout your system’s lifecycle – from initial planning to execution, and continually as part of your standard maintenance program.

Information asset management has inherent technical vulnerabilities that need continuous monitoring and improvement because, just as innovation increases, criminal innovation does too. As a result, cybercriminals regularly find new ways to penetrate rock-solid security measures.

Penetration testing should occur as soon as you have pinpointed the assets that are to be included in your risk assessment and testing agreement. During post-mortem analysis, you and your information security experts should also determine an appropriate frequency for re-testing in the future.

Automate ISO 27001 Vulnerability Management with Reciprocity ZenRisk

Reciprocity ZenRisk is a suite of integrated cybersecurity risk management software. It is a turnkey solution for quick implementation. The content library is preloaded with various frameworks and templates, making ISO certification a breeze. Evidence cross-mapping enables you to fulfill requirements for various frameworks simultaneously, including NIST and GDPR.

Reciprocity ZenRisk features automated workflows and task tracking to eliminate manual follow-ups. User-friendly dashboards provide visibility to vulnerabilities and internal audits can be performed in just a few clicks. This way you know where to focus your resources.

Worry-free cybersecurity risk management is the Zen way. Contact us today to schedule a demo!

Risk, security and compliance executives have many choices and decisions on their respective plates, and whether or not to automate is not among them.

I’ve been seeing a trend in the marketplace: more and more organizations are investing in risk management and compliance technology tools¹. But why? The answer may be as simple as supply and demand dynamics.

Boards, executives and other stakeholders are more urgently demanding sound risk management and intelligence to drive better investments in security and other business decisions. On the supply side, CIOs are challenged with limited resources and budgets, new or changing regulations and tracking and maintaining compliance². Already high expectations for today’s CIO, CISO and CROs are growing, and this is driving risk, security and compliance teams to become more efficient.

Automation becomes a necessity rather than a choice to keep up with growing stakeholder demand and scrutiny. Plus, an ever-changing risk landscape and growing and increasingly complex security environment require an efficient approach to keep up. Automation strategies create force multipliers on existing resources, allowing teams to focus on high-value activities and leaving the mundane and routine tasks to machines.

This frees up your team’s time, optimizing the skills and talent of your workers and reduces errors in your risk, security and compliance programs. It is clear that risk and security executives must adopt automation by default. Stakeholder demand has increased, and executives’ ability to supply risk intelligence is becoming less and less effective.

Hardly a week goes by without hearing about yet another data breach or cyberattack that harmed some company somewhere – which means, naturally, that organizations everywhere need more comprehensive cybersecurity controls and risk management programs.

One part of that challenge is how to demonstrate the effectiveness of your cybersecurity capabilities to stakeholders. You should be able to prove that you have the processes and controls in place to detect cyber incidents, respond quickly, and recover data and operations in the fastest possible time.

This is where cybersecurity attestation comes in.

A cybersecurity attestation (also more simply known as a cyber attestation) is a review and confirmation of your organization’s security status by an independent reviewer.

Should your organization get a cybersecurity attestation? How does the process work? Let’s explore.

What Is Cybersecurity Attestation?

Merriam-Webster defines attestation as “proving the existence of something through evidence” and “an official verification of something as true or authentic.” A cybersecurity attestation is formal, documented proof of your organization’s security status.

Attestation does not necessarily mean that your cybersecurity posture is perfect or that you are completely protected from cyber threats. It simply shows stakeholders that you are managing your cyberthreat landscape to the degree that you claim. It provides evidence that you are doing your best to detect breaches and respond to threats in an appropriate manner.

The attesting party will evaluate your cybersecurity environment and provide assurance that you are doing everything possible to protect your data and systems. This typically includes a review of your cybersecurity infrastructure and risk management program to confirm whether those efforts meet the cybersecurity requirements set by a governing body.

Do You Need Cybersecurity Attestation?

Not necessarily. The main purpose of cybersecurity attestation is to build trust with stakeholders.

When you have completed cyber attestation, you can provide a higher level of assurance about your security posture and cybersecurity program and controls. You could then offer that attestation to customers, business partners, and other interested parties to demonstrate that your organization is trustworthy. It demonstrates your commitment to transparency and shows that you are making an effort to strengthen your cybersecurity posture. The report will help them gauge whether you will protect data in their care – such as their own personal data.

So, does your organization need cyber attestation?

The answer: it depends.

Your customers, vendors, business partners, or other stakeholders may require a security attestation from you. Some industries and regulatory agencies also ask organizations to get a security attestation and provide an authenticated attestation report.

In general, if your company is required to prove that controls are in place to secure sensitive systems and information, then yes, you should get a security attestation.

Cybersecurity Attestation and System and Organization Controls (SOC) for Cybersecurity

The American Institute of CPAs (AICPA) has developed a cybersecurity attestation and risk management reporting framework. This framework is part of the System and Organization Controls (SOC) for Cybersecurity assessment.

Like other SOC assessments, the goal of this assessment is to provide an assurance report that you can share with others. It is not a replacement for SOC 2 or SOC 3 reports. Rather, it provides a way to assure stakeholders about your cybersecurity program, so you should consider it an additional assessment on top of SOC 2 or SOC 3.

The SOC for Cybersecurity assessment helps independent auditors – typically service providers such as a public accounting firm specializing in cybersecurity – to assess enterprise cybersecurity risk management programs.

These auditors have the knowledge and expertise to understand cybersecurity risks and perform a quality assessment of your cybersecurity controls. After an objective review of your program, they will provide a report about the enterprise security posture. This information enables the board of directors, senior management, investors, and other stakeholders to understand the organization’s security efforts and judge the effectiveness of its internal controls.

Calculating a Security Score for Cybersecurity Attestation

Cybersecurity attestation is like a health report of your cybersecurity status. As part of the attestation, the auditor may give you a security score, which measures your security posture based on many security-related aspects.

A common starting point for calculating the security score is to use Microsoft Secure Score. Microsoft Secure Score acts as a security benchmark, indicating a company’s security posture. A higher score shows that the company has taken more actions to improve its security posture.

You will see your Microsoft Secure Score (1 to of 100) on the Microsoft 365 Defender portal. This number, expressed as a percentage, will help you to:

• Understand the current state of your security posture;
• Boost your security posture by improving your environment’s discoverability, visibility, and control;
• Establish key performance indicators (KPIs) to measure improvements in the security posture.

By following the Secure Score recommendations, you can strengthen your cybersecurity controls and protect your organization from threats. Your score will change when you implement these recommendations to configure certain security features, complete security-related tasks, and address a specific improvement action.

The attesting agency may walk you through your score to show where security vulnerabilities exist. The agency may also provide recommendations to address these security gaps and blind spots. Once the attestation is complete, the agency will provide a report you can show to your stakeholders to demonstrate your security status.

Important Elements of a Cybersecurity Attestation Report

The attestation report is based on your security management or control framework. You may have chosen the NIST Cybersecurity Framework (CSF) or a framework like COBIT (Control Objectives for Information and Related Technologies), PCI DSS (Payment Card Industry Data Security Standard), or ISO (International Standards Organization).

The evaluator will assess your cyber risk management program based on these frameworks to decide whether your controls are effective in achieving your risk assessment and management objectives.

The report may be customized depending on your organization’s size, type, industry, and cybersecurity requirements. But in general, cyber attestation reports include the following points about the organization:

• The organization has assessed its cybersecurity risks.
• It has implemented a robust information security management system (ISMS) and a cybersecurity framework.
• It has an incident response plan in place.
• That plan is integrated with its business continuity plan.
• It is taking steps to improve its cybersecurity posture and resilience.

Ideally, the report will describe your data breach prevention and detection processes. It could also include details about breach remediation and data recovery processes, the operational recovery plan, and the stakeholder communication plan.

The Cyber Attestation Process

The CPA firm’s independent attestation report lets organizations offer an objective review of their cybersecurity risk management program and security controls to stakeholders. The auditors generally use the following process to review enterprise cybersecurity risk management programs and create the attestation report.

Identify the Organization’s Goals

The auditor providing the attestation will first identify the organization’s attestation goals. Before testing starts, the auditor will create a testing plan to clarify the goals and methodologies. The auditor may have a kickoff call with the organization to finalize outstanding items and get a sign-off on the testing plan.

Testing and Evidence Gathering

The auditors will start testing and perform validation of the company’s cybersecurity program and security controls. They will gather evidence and keep the organization updated on progress.

Finalize the Attestation Report

After the testing, the reviewer will prepare the attestation report, which may include all the elements discussed earlier. The reviewer may provide a draft report and a final report which the organization can share with stakeholders to demonstrate the completion of the attestation process.

ROAR Can Help Improve Your Security Defenses

Security risks and threats are not going anywhere. You can, however, protect your operating system and enterprise assets by improving information security if you have visibility into the cyber threat landscape.

Reciprocity ROAR is an integrated cybersecurity risk management platform for Risk Observation, Assessment, and Remediation. Modern, cyber-aware organizations use ROAR to see risk across the business and build a unified foundation for a comprehensive cybersecurity program.

Reciprocity ROAR offers advanced automation and a pre-loaded content library for more than 20 frameworks. Workflows and templates streamline tedious activities throughout the lifecycle of the risk management process. The document repository and audit trails ensure you are always audit-ready.

Schedule a demo to see how ROAR can help you strengthen your security controls and prepare cybersecurity attestation.