Over the months between 2021-2022, nearly 39% of UK businesses have identified a cyberattack with the most common threats being, phishing attacks, denial of service, malware, and or ransom attack.
If your organization belongs to the public or government sector, then one surefire and necessary way of keeping it safe from such attacks is by carrying out CHECK penetration testing.
What Is CHECK?
CHECK (IT Health Check Service) is the umbrella term for penetration testing companies that have been approved by United Kingdom’s National Cyber Security Centre (NCSC) for conducting authorized pentests for public and government sectors that form UK’s critical national infrastructure (CNI).
CHECK also helps in the identification of pentest companies that follow NCSC-approved methodologies for testing.
Why Astra is the best in pentesting?
- We’re the only company that combines automated & manual pentest to create a one-of-a-kind pentest platform
- Vetted scans ensure zero false positives
- Our intelligent vulnerability scanner emulates hacker behavior & evolves with every pentest
- Astra’s scanner helps you shift left by integrating with your CI/CD
- Our platform helps you uncover, manage & fix vulnerabilities in one place
- Trusted by the brands you trust like Agora, Spicejet, Muthoot, Dream11, etc.
Introduction
NCSC defines CHECK penetration testing as the process of conducting authorized exploitation of computer and network systems to identify publicly known vulnerabilities using the same techniques and tools as an attacker would.
CHECK certified penetration testing with authorization from NCSC can help organizations in the public and government domains assess their CNI (Critical National Infrastructure) (carrier network infrastructure) systems for security weaknesses.
CHECK penetration testing is needed for multiple reasons including
- Maintaining data security
- Deploying NCSC-recommended methodologies for a standardized testing experience
- Making use of a CHECK certified penetration testing provider that is approved by the NCSC.
Who Needs CHECK Accreditation?
CHECK is an accreditation provided to pentesting companies by the National CyberSecurity Centre of the UK. This accreditation enables CHECK-approved penetration testing providers to carry out authorized exploits on public and government organization assets to find flaws and provide extensive reports and remediation assistance.
The staff of such companies will have NCSC-approved qualifications, and experience, and moreover, will conduct the pentests using NCSC-approved methodologies.
Who Needs CHECK Penetration Testing?
CHECK penetration testing is required to be conducted without fail by the following sectors:
- Government departments, public sectors, and bodies – It is recommended by the NCSC that all systems be analyzed thoroughly by a CHECK vendor unless explicitly mentioned not to by the system’s risk owner.
- Central departments and their associated agencies- All systems that process data marked OFFICIAL have to be assessed through CHECK-approved penetration testing providers.
If networks or computer systems process data that is marked SECRET or TOP SECRET they have to be tested with the aid of 2 CHECK team leaders who should have the appropriate clearances and access.
- If your organization doesn’t belong to either sector and is privately owned, then penetration testing can also be conducted by companies that are not under CHECK.
4 Reasons Why CHECK Penetration Testing Is Needed
- NCSC Recommended
CHECK penetration testing is recommended by the National CyberSecurity Centre for non-private sector organizations in order to run standardized penetration tests with the aid of verified, trustworthy CHECK pentest providers.
- Sensitive Data Security
CHECK penetration tests ensure that sensitive data stored and transmitted within the public and governmental sectors are secured with the highest possible security devoid of any vulnerabilities.
- Verified Service Provider
Organizations in the public sector can choose among the verified CHECK service providers available to conduct CHECK penetration tests. Verified CHECK providers are accredited by the NCSC to provide services that ensure the safety and security of the system even if exploited through the identification of vulnerabilities.
- NCSC Approved Pentest Methodology
NCSC-verified CHECK penetration testing services make use of the CHECK penetration testing methodology that is standardized and approved by the NCSC. This ensures that the test finds all vulnerabilities and is provided with ample remediation measures.
Read more on NIST Penetration Testing
Differences Between CHECK and CREST Penetration Testing
Given below are the differences between CHECK, CREST, and penetration testing for both.
CHECK Penetration Testing | CREST Penetration Testing |
Accreditation by National CyberSecurity Centre | Accreditation by the Council of Registered Ethical Security Testers (CREST) |
For public and government organizations | For private organizations but also collaborate with NCSC. |
Endorsed by the UK | Internationally recognized. |
Uses NCSC-recognized pentesting methodologies | Uses CREST pentesting methodologies |
Mainly aimed at cybersecurity experts | Mainly aimed at cybersecurity companies |
Read more on Penetration Testing Compliance
Steps in CHECK Penetration Testing
1. Scoping
This is the initial phase where a scope is agreed upon by the pentesters and the customer which details the number of assets to be audited, the rules of attack, and the understanding of the needs of the client.
Proper scoping is required for a thorough CHECK penetration test, to avoid scope creep and legal troubles in the future.
2. Scanning
This is the second phase of the CHECK penetration testing where the assets are scanned and audited for any vulnerabilities or areas of non-compliance that endanger data safety by the CHECK pentest provider.
3. Exploitation
The vulnerabilities discovered during the pentest are exploited, evaluated, and categorized based on the threat’s severity. This is done according to CVSS (Common Vulnerability Scoring System) scores in which 8-10 represents critical vulnerabilities, 5-7 medium-level vulnerabilities, and 1- 4 low-level vulnerabilities.
4. Reporting
Once the CHECK penetration testing is complete, a detailed report is generated for the customers to help them understand the measures taken, vulnerabilities found, remediation measures that can be opted for, and help with good documentation of security.
5. Remediation
The report will contain remediation measures for the vulnerabilities found on them. These vulnerabilities are to be remediated and patched based on criticality, the ones with high criticality should be patched immediately.
6. Rescanning
Once the patches are made the assets are scanned again to verify the airtightness of the fixes made and to make sure there are no further vulnerabilities.
Conclusion
Confidential, susceptible data is always on the move or is stored digitally by most public and government agencies. This makes CHECK penetration testing a much-needed safety measure to ensure their systems are safe from any vulnerabilities that could threaten data safety.
It is prudent to regularly conduct CHECK penetration tests with the aid of NCSC-approved tools that make the job of security easier for you.
What are the three types of penetration testing?
The three most common penetration testing are white-box, black-box, and grey-box penetration testing.
1. White box: Testers are aware of the details regarding the system they are going to exploit.
2. Black box: This is a penetration test where pentester does not know anything regarding the target to be exploited.
3. Grey-box: Here pentesters have partial relevant information regarding the targets.
What are the steps in a penetration test?
A penetration test usually starts off by defining the scope, which is followed by scanning the determined assets for vulnerabilities, exploiting them, and reporting the learnings found.
What is CHECK?
CHECK or IT Health Check Service is an accreditation provided by NCSC to pentesting companies. Accredited pentesting companies can provide pentesting services to government and public sector organizations.