COI Report – Part VII
Page
289 of
425 application in July 2018. The H-Cloud network penetration tests conducted by the GIA in FY revealed vulnerabilities and misconfigurations, several of which were present
during the Cyber Attack, and which overlapped with CSA’s investigation findings as to the vulnerabilities and contributing factors exploited by the attacker in the Cyber Attack. These are just two tangible demonstrations of the value in conducting penetration tests on critical applications, systems and networks.
838. Indeed, the CIS recommends that “
[i]n a complex environment where technology is constantly
evolving, and new attacker tradecraft appears regularly, organizations should periodically test their defenses to identify gaps and to assess their readiness by conducting penetration testing”.
71 839. We will elaborate on the following recommendations for the conduct of penetration tests.
39.3.1 Penetration tests must be conducted regularly and following specified events on all CII, mission-critical and/or internet-facing systems 840. We recommend that penetration tests must be conducted on all CII, mission-critical and/or internet-facing systems a) prior to the commissioning of the system, or any new systems connected to the system b) after any major changes have
been implemented to the system, such as adding on application modules, system upgrades and technology refresh, as well as after any system migration and c)
in any event, at least annually.
71
CIS Controls Version 7 at control 20: Penetration Tests and Red Team Exercises.
