NIS2 focuses on processes that do not work without technology
From a formal point of view, the NIS2 Directive primarily addresses processes that are closely linked to the network and information systems used (referred to as ‘cybersecurity practice’). These systems, their users and other persons affected by cyber threats must be protected by adequate measures (referred to as ‘cybersecurity hygiene’). In turn, such protection must be based on the current state of the art and, in particular, on relevant standards (such as ISO/IEC 27001) and a general approach across all risks.
NIS2 aims to fulfil four security objectives:
Availability, authenticity, integrity and confidentiality of data or services of the network and information systems used. Therefore, measures are required that are capable of identifying relevant attack vectors, preventing data leakage as far as possible and reliably detecting security gaps in established procedures. Penetration tests are the appropriate instrument for this.
Vulnerability management based on penetration tests
ISO/IEC 27001:2022 now requires that information security objectives to be met are monitored (section 6.2 lit. d in conjunction with section 9.1) and ISMS-relevant processes are carried out in accordance with defined criteria (section 8.1).
This includes
– to survey and analyze the existing threat situation (A.5.7),
– to carry out regular independent audits (A.5.35),
– to operate procedures for technical vulnerability management (A.8.8),
– to prevent data leaks on systems, networks and other relevant devices (A.8.12)
– detect unusual behavior in networks, systems and applications and respond appropriately (A.8.16).
The majority of the controls listed here are new or have been included in the new version of the international standard in a significantly modified form and are essentially aimed at carrying out penetration tests.
In line with NIS2 Directive recital 49, penetration tests are used to identify missing updates and inadequately assigned passwords. According to recital 58 of the NIS2 Directive, the quick detection and elimination of exploitable vulnerabilities in network and information systems is a key factor in risk management.
The periodic execution of penetration tests is therefore of key importance for NIS2-compliant and effective risk management.
In this context, penetration tests are only classified as regular if a penetration test is carried out by an independent organization at least once a year for systems that are in particular need of protection. Independent means that it is not carried out by the organization that manages and administers the system, but by another competent and experienced testing organization, often an external service provider.
According to the NIS2 directive, this is a provider of managed security services, which in turn is itself obliged to comply with NIS2 and has appropriate cyber security expertise.
What exactly are penetration tests?
In a penetration test, commissioned testers take on the role of attackers in order to show the client existing vulnerabilities that can be exploited by third parties. The testers operate in the same way as attackers would, but without exploiting an identified vulnerability in an actual and uncoordinated manner.
This requires a step-by-step approach: After collecting valuable information to optimize the planned attack, an intelligent proceeding is used to achieve a worthwhile goal and achieve the desired effects, e.g. by accessing inadequately protected data, bypassing authentication mechanisms, changing relevant data records or disrupting IT services.
This therefore directly affects the four security objectives of the NIS2 directive. However, the testers assess the identified vulnerabilities according to a globally standardized scheme and provide specific recommendations on how they can be effectively closed and thus no longer be available to real attackers.
When commissioning a penetration test, the client can choose how much the attacker being simulated may know in advance about the target at risk (e.g. in order to be able to address internal offenders), how ‘aggressive’ and target-orientated the tester should be (e.g. in order to simulate attackers who operate stealthily or are geared towards carrying out sabotage quickly) and which techniques or technical methods should be available to the attacker being simulated.
A distinction is also made in the penetration test as to whether infrastructural components or specific programs (applications, web services, mobile apps, etc.) are to be analyzed and whether specific attack techniques are to be simulated (e.g. threat-oriented penetration tests in accordance with the DORA guideline, so-called red teaming).
Further information on pen testing can be found on our website.