Cover image for Penetration Testing: A guide for business and IT managers

Penetration Testing: A guide for business and IT managers

Author Peter Taylor , Felix Ryan , Tylor Robinson , Gemma Moore , Moinuddin Zaki , Jims Marc
Release Date: 2019/08/01
ISBN: 9781780174082
Topic:
0%
29
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

Book Description

Penetration testing is the attempt to professionally break in to an organisation's systems by exploiting any vulnerabilities, with the goal of determining whether an organisation's IT systems and resources are secure. As hackers and would-be cyber attackers become increasingly more brazen, penetration testing has become an essential practice. This BCS guide for business and IT managers, developed in collaboration with CREST, explains the process of penetration testing and the benefits it brings. With contributions from practising penetration testers and information security experts, the book brings together a wide range of expertise, insight, and tips for setting up a penetration testing programme, maintaining it, and responding to the results of penetration tests. - Introduces penetration testing as an exploitative test technique to check whether a target system's security controls can be defeated; - Written by a wide range of industry experts from academics to practising penetration testers to information security managers, with support from CREST (accreditation and certification body for information security industry); - Covers insights from across the penetration testing process, from initial set up to reporting results and acting on them. --- "This is the first time I’ve encountered a book which manages to combine properly researched good practice for penetration testing with the real requirements of the business community...The authors really know their stuff and I found myself nodding and smiling many times in every chapter. The case studies and examples are pithy and highly relevant. Concepts such as red teaming and intelligence-led penetration testing are clearly explained and contrasted with other forms of testing, helping demystify this complex topic. Each chapter is well laid out and the guidance provided is exactly what managers need to know to get great value from security testing exercises of all types. Over a dozen expert authors have contributed to this book and the results speak for themselves – this is a must read for those responsible for information security in organisations of all sizes." - Peter Wood FBCS CITP CISSP M.Inst.ISP , Partner, Naturally Cyber LLP and Founder, First Base Technologies LLP -

Table of Contents

  1. Front Cover
  2. Half-Title Page
  3. BCS, THE CHARTERED INSTITUTE FOR IT
  4. Title Page
  5. Copyright Page
  6. Contents
  7. List of figures and tables
  8. About the authors
  9. Foreword
  10. Abbreviations
  11. Glossary
  12. Preface
  13. 1. WHAT IS PENETRATION TESTING?
    1. How does this affect my organisation?
    2. Why carry out a penetration test?
    3. Penetration tests won’t always stop you being hacked
    4. Staying current with emerging risks
    5. Why all managers should be interested in security…
    6. Impact on the organisation of not penetration testing
    7. Summary
    8. References
  14. 2. SUCCESSFUL PENETRATION TESTING: AN OVERVIEW
    1. Understanding what penetration testing will achieve
    2. Delivering maximum value from penetration testing
    3. Penetration testing as part of a holistic information security programme
    4. Risk assessments and relevance to live-system lifecycles
    5. Summary
    6. References
  15. 3. REGULATORY MANAGEMENT FOR PENETRATION TESTING
    1. Governance and regulatory compliance overview
    2. Regulatory and legal preparatory considerations
    3. Sectors and compliance standards
    4. Summary
    5. References
  16. 4. EMBEDDING PENETRATION TESTING WITHIN ORGANISATIONAL SECURITY POLICIES AND PROCEDURES
    1. Adding penetration testing to an existing enterprise information security strategy
    2. Preparation and planning
    3. Alignment of policies and procedures with the changing nature of threats
    4. Awareness raising and notification
    5. Other factors for consideration
    6. Summary
  17. 5. OUTCOME- AND INTELLIGENCE-LED PENETRATION TESTING
    1. How penetration test programmes should be informed by defined outcomes
    2. Threat intelligence-led penetration testing
    3. Next steps?
    4. Summary
    5. Reference
  18. 6. SCOPING A PENETRATION TEST
    1. Defining the scope of penetration tests
    2. Mapping of assets
    3. Summary
    4. References
  19. 7. PENETRATION TEST COVERAGE AND SIMULATING THE THREAT
    1. Penetration test coverage and structure
    2. Simulating the threat
    3. Summary
    4. References
  20. 8. BUILDING ORGANISATIONAL CAPABILITY FOR PENETRATION TESTING
    1. In-house penetration testing compared with third-party penetration testing
    2. Hybrid approaches
    3. Summary
    4. References
  21. 9. COMMISSIONING PENETRATION TESTS
    1. An overview of the penetration testing service provider market
    2. Test provider capabilities
    3. Working relationships with testers
    4. Review and ‘rotation’ of test providers
    5. Test consents
    6. Commercial and technical relationships
    7. Understanding and using test results
    8. Summary
    9. References
  22. 10. SELECTING TOOLS FOR PENETRATION TESTING
    1. Context
    2. Assessing the most appropriate penetration testing tools and techniques for the programme
    3. Summary
    4. References
  23. 11. GOOD PRACTICE FOR PENETRATION TESTING
    1. What is meant by ‘best practice’ and ‘good practice’?
    2. Building on the tester’s experience
    3. Penetration testing methodologies
    4. Documentation before, during and after a penetration test
    5. Penetration tester travel and being away from home
    6. Test teams versus individual testers
    7. The client being involved in the test
    8. Health and safety
    9. Summary
    10. Reference
  24. 12. ROLE AND COVERAGE OF REPORTING
    1. Purpose of reporting
    2. Distributing report content to the relevant audience
    3. Coverage of reporting
    4. Summary
  25. 13. INTERPRETATION AND APPLICATION OF REPORT OUTCOMES
    1. On debriefs
    2. Interpreting reports and circulating key findings
    3. Integrating reporting into bug trackers, ticket managers and management tools
    4. Understanding the full implications of vulnerabilities
    5. Summary
  26. 14. ACTING ON PENETRATION TESTING RESULTS
    1. Interpreting results
    2. Establishing a structured remediation plan
    3. Penetration test timings
    4. Summary
  27. Notes
  28. Index
  29. Back Cover
52.14.253.170