Penetration testing helps you evaluate the effectiveness of the preventative technologies and controls you have put into place to defend against a cyberattack. It’s a critical component of an adaptive security control framework. (Gartner)

Globally, hackers have automated and weaponized various scripts and reconnaissance tools, while looking for vulnerabilities both inside and outside of clients’ networks and cloud deployments. These automated attack tools run 24 hours a day across the world, and look for any day zero exploits and new websites launched without security controls. They also look for new container-based applications deployed with Kubernetes without the necessary security controls.

Penetration testing becomes a much-required process before, during, and after a new systems container or application is deployed. The “air gap” (the small window of opportunity through which a hacker seeks to exploit the system) between the known patch applied from various vendors and the current state of the platform becomes the ideal attack vector.

Penetration beyond the “one-off”

PCI, along with other compliance frameworks, requires penetration testing on a scheduled and repeated basis. Depending on the level of a PCI transaction, the client may need to perform monthly testing against all related PCI hosts.

That “one-off” mindset plays extremely well in the hacker’s playbook. Many vendors release several patches throughout the month. In some cases, even with automatic updating or “over the wire” firmware updates, corporate systems, mobile phones, and containers will fall behind the recommended security patch levels and create several air gap opportunities for attack vectors to exploit.

Penetration processing needs to become a 24-hour-a-day workstream, not a simple “check-the-box-one-off” routine task.

Do you need help assessing your defenses?

Engaging with EVEE Consulting will not only ensure the completion of your penetration-testing requirements, but we also will develop a proven strategy for ongoing testing.