Businesses need to scan the external available infrastructure and applications to protect against external threats. They also need to scan internally to protect against insider threat and compromised individuals.
Pen testing should be conducted regularly, from monthly, to possibly quarterly.
Because of the constantly evolving threat universe, once a month is recommended, especially for high value businesses where there may be many ways for malicious threat to access sensitive data- e.g. web sites, web applications, mobile applications, SQL injection etc.
Only about 13 percent of security breaches are discovered internally Source: Verizon
Source: Verizon
The minimum frequency depends on the type of testing being conducted and the target of the test. In very low value businesses, testing should be done at least annually. Standards such as the PCI DSS also recommend intervals for various scan types.
Pen testing should also be undertaken after deployment of new infrastructure and applications as well as after major changes to applications, devices (e.g. introducing IoT) firewall rules, updating of firmware, patches and upgrades to software).
