CONTENTS

List of figures and tables

About the authors

Foreword

Abbreviations

Glossary

Preface

1. WHAT IS PENETRATION TESTING?

Nick Furneaux

How does this affect my organisation?

Why carry out a penetration test?

Penetration tests won’t always stop you being hacked

Staying current with emerging risks

Why all managers should be interested in security…

Impact on the organisation of not penetration testing

Summary

References

2. SUCCESSFUL PENETRATION TESTING: AN OVERVIEW

Sharif Gardner

Understanding what penetration testing will achieve

Delivering maximum value from penetration testing

Penetration testing as part of a holistic information security programme

Risk assessments and relevance to live-system lifecycles

Summary

References

3. REGULATORY MANAGEMENT FOR PENETRATION TESTING

Rob Ellis

Governance and regulatory compliance overview

Regulatory and legal preparatory considerations

Sectors and compliance standards

Summary

References

4. EMBEDDING PENETRATION TESTING WITHIN ORGANISATIONAL SECURITY POLICIES AND PROCEDURES

Ceri Charlton

Adding penetration testing to an existing enterprise information security strategy

Preparation and planning

Alignment of policies and procedures with the changing nature of threats

Awareness raising and notification

Other factors for consideration

Summary

5. OUTCOME- AND INTELLIGENCE-LED PENETRATION TESTING

Jason Charalambous and Moinuddin Zaki

How penetration test programmes should be informed by defined outcomes

Threat intelligence-led penetration testing

Next steps?

Summary

Reference

6. SCOPING A PENETRATION TEST

Jims Marchang and Roderick Douglas

Defining the scope of penetration tests

Mapping of assets

Summary

References

7. PENETRATION TEST COVERAGE AND SIMULATING THE THREAT

Felix Ryan

Penetration test coverage and structure

Simulating the threat

Summary

References

8. BUILDING ORGANISATIONAL CAPABILITY FOR PENETRATION TESTING

Ceri Charlton

In-house penetration testing compared with third-party penetration testing

Hybrid approaches

Summary

References

9. COMMISSIONING PENETRATION TESTS

Peter Taylor

An overview of the penetration testing service provider market

Test provider capabilities

Working relationships with testers

Review and ‘rotation’ of test providers

Test consents

Commercial and technical relationships

Understanding and using test results

Summary

References

10. SELECTING TOOLS FOR PENETRATION TESTING

Jims Marchang and Roderick Douglas

Context

Assessing the most appropriate penetration testing tools and techniques for the programme

Summary

References

11. GOOD PRACTICE FOR PENETRATION TESTING

Felix Ryan

What is meant by ‘best practice’ and ‘good practice’?

Building on the tester’s experience

Penetration testing methodologies

Documentation before, during and after a penetration test

Penetration tester travel and being away from home

Test teams versus individual testers

The client being involved in the test

Health and safety

Summary

Reference

12. ROLE AND COVERAGE OF REPORTING

Gemma Moore

Purpose of reporting

Distributing report content to the relevant audience

Coverage of reporting

Summary

13. INTERPRETATION AND APPLICATION OF REPORT OUTCOMES

Gemma Moore

On debriefs

Interpreting reports and circulating key findings

Integrating reporting into bug trackers, ticket managers and management tools

Understanding the full implications of vulnerabilities

Summary

14. ACTING ON PENETRATION TESTING RESULTS

Jason Charalambous, Moinuddin Zaki and Tylor Robinson

Interpreting results

Establishing a structured remediation plan

Penetration test timings

Summary

Notes

Index