Penetration testing
Before we start our conversation around penetration testing, to illustrate the differences and similarities as well as overlaps, let's briefly outline some related cybersecurity assessment types. Most of these assessment types have been discussed before but are reiterated here and put things into perspective.
The four main cybersecurity assessment types are as follows:
- A gap analysis compares the current set of mitigation controls to a list of recommended security controls, provided by a standards body such as NIST. The method looks for deviations or gaps between the existing prevention mechanisms for a system and the recommended mechanisms. Activities such as a network architecture drawing review and system configuration review are used to identify the gaps.
- A vulnerability assessment will unearth vulnerabilities or flaws in an ICS asset or in the system as a whole by comparing the current patch level of devices or application revisions against...