THE SAFEGUARDS
18.1 Establish and Maintain a Penetration Testing
Program
N/A Identify
18.2 Perform Periodic External Penetration Tests
Network Identify
18.3 Remediate Penetration Test Findings
Network Protect
18.4 Validate Security Measures
Network Protect
18.5 Perform Periodic Internal Penetration Tests
N/A Identify
      12345
Asset Type Security Function
1= Asset Type 4= Implentation Group 2 2= Security Function 5= Implentation Group 3 3= Implentation Group 1
 18 - PENETRATION TESTING
Safeguards Total 5 IG1 0/5 IG2 3/5 IG3 5/5
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
Why Is This CIS Control Critical?
      A successful defensive posture requires a comprehensive program of effective policies and governance, strong technical defenses, combined with appropriate action from people. However, it is rarely perfect. In a complex environment where technology is constantly evolving and new attacker tradecraft appears regularly, enterprises should periodically test their controls to identify gaps and to assess their resiliency. This test may be from external network, internal network, application, system, or device perspective. It may include social engineering of users, or physical access control bypasses.
Often, penetration tests are performed for specific purposes:
As a “dramatic” demonstration of an attack, usually to convince decision-makers of their enterprise’s weaknesses
As a means to test the correct operation of enterprise defenses (”verification”)
To test that the enterprise has built the right defenses in the first place (”validation”)
      Did You Know?
As sophisticated as security devices are today, almost 90% of Cyber Attacks are Caused by Human Error or Behaviour. Penetration Testing can help improve the overall security posture of an organisation. We can simulate common attacks to help you find potential weak points.
Introduction | Threats | NIST Security | Framework | CIS Controls | NSA Risk Levels | The Controls | How We Can Help
CONTROL 18