Credit unions in Ireland are required to conduct a penetration test once a year, and send the results to the Central Bank of Ireland for review.
According to a report published by the Bank last year, credit unions are getting better at doing this. But for those that are still unsure how to complete this process or simply want to get better at it, this blog explains everything you need to know about your penetration testing requirements.
How does penetration testing work?
Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, looks for application and network vulnerabilities in the same way as a criminal would.
The process gives organisations a different perspective on their approach to information security. The results of the test show them whether their information security controls work as intended, and give them the opportunity to identify and address weaknesses before cyber criminals discover them.
Penetration testing often goes hand-in-hand with vulnerability scans. These are automated tests that are conducted using off-the-shelf tools.
Although vulnerability scans are an essential part of information security, they don’t provide the same level of insight as penetration tests and therefore can’t replace the testing process.
Idrees Rafiq Jr, Vice President of IT Consulting at Credit Union Resources, explains the difference between the two processes in a credit union environment:
I like to use the analogy of testing the security of a physical branch. A [vulnerability scan] would be similar to me walking around the branch, pulling on doors, windows, and roof hatches, making sure they are locked and secured.
Should the employee entrance/exit door be unlocked, I would report that back to you and let you know that I would be able to break into your credit union via that door.
A penetration test would be similar to me doing the same walk-around; however, I would actually go into the unlocked door and try to steal confidential information and other assets before setting off any alarms.
In other words, a vulnerability test looks for weaknesses that give cyber criminals a potential point of access to sensitive information, whereas a penetration test is a simulated walkthrough of exactly how an attack would take place.
Meeting your penetration testing requirements
The skills needed to conduct a penetration test mean that your organisation should hire an independent expert.
Even if you have a qualified tester in-house, that person might bring with them knowledge of the organisation’s internal practices, which means you won’t get a true reflection of how a cyber criminal would target your organisation. Or, to be more specific (because organisations often give testers certain details in advance), you won’t be able to tell exactly what information was needed to exploit a vulnerability.
Likewise, an in-house tester might be subject to bias. If they know the person who’s responsible for certain processes and systems, they might be reluctant to expose weaknesses.
You must follow up on your penetration tests
As important as penetration tests are, it’s important to remember that they are informative as opposed to preventive. That’s to say, conducting a penetration test won’t make you any less susceptible to cyber attacks, but you will understand which information security risks you must address.
This is a problem that many of Ireland’s credit unions have. Although they are getting better at meeting their penetration testing requirements, they haven’t done enough to address the vulnerabilities identified in those tests.
And what good is it to know where your vulnerabilities are if you don’t do anything to secure them?
To ensure that you get the most out of penetration testing, you must embed it in a wider cyber security programme.
Credit unions that are subject to the PCI DSS (Payment Card Industry Data Security Standard) should already be doing this, as penetration testing is a core requirement, alongside measures that are designed to secure organisations’ systems and networks.
Further reading: The PCI DSS: Challenge or opportunity?
The PCI DSS contains 12 requirements that are designed to help organisations:
- Build and maintain a secure network;
- Protect cardholder data;
- Maintain a vulnerability management programme;
- Implement strong access control measures;
- Regularly monitor and test networks; and
- Maintain an information security policy.
When these requirements are met, organisations will be able to continually review and improve their information security systems, helping them mitigate existing threats and anticipate future issues.
Penetration testing with IT Governance
If you’re considering penetration testing, IT Governance offers a number of services in fixed-price packages.
Our team of CREST-accredited consultants will conduct a test tailored to your needs and provide you with an easy-to-understand report that breaks down their findings.
Those who want to learn more about how the process works might be interested in reading Assured Security: Getting cyber secure with penetration testing.
This free green paper explains in more detail how penetration testing works, the types of vulnerabilities it can help mitigate and why it’s an essential part of information security.