NEWORDER and ACFE SA SETTING THE AFRICA STANDARD FOR PEN-TESTING

  • Home
  • NEWORDER BLOG
  • NEWORDER and ACFE SA SETTING THE AFRICA STANDARD FOR PEN-TESTING

" PEN-TESTING- CAN YOU AFFORD TO IGNORE IT! "

Why you need Penetration Testing in your armoury to combat 2022 global cyberthreats, and how to identify a skilled pen-tester

We recently wrote about the cyberthreats you need to look out for in 2022. Most key risks can be mitigated by including regular penetration testing (Pen-testing) in your InfoSec strategy. What is Pen-testing? A penetration test is an ethical cybersecurity evaluation that identifies vulnerabilities across your external and internal IT environment. The tester looks for vulnerabilities, misconfigurations and development flaws by attempting to penetrate the system the same way a malicious attacker would. There are multiple types of Pen-testing: network, wireless, web application, mobile application, API, and build and configuration review.

Pen-testing standards: how do you recognise a skilled pen-tester?

With the exponential growth in cybercrime, there is inevitably high demand for Pen-testing and no shortage of self-professed “ethical hackers” ready to meet that demand. The market has been flooded by individuals claiming to be ethical hacking experts, but in many cases, these “self-proclaimed professionals” are really just amateurs performing IT administration tasks. There is a vast difference in quality and effectiveness between a Pen-test performed by an automated tool and one carried out by an experienced, skilled human. Automated tools may protect you (if you’re lucky) from mass attackers, but it takes skill, expertise, and a methodology backed by years of research and hands-on knowledge to properly probe your networks and business systems to identify the vulnerabilities that a sophisticated hacker will exploit.

However, how do you know if the expert you trust with your Pen-testing has the requisite skills and experience? Unfortunately, there is no recognised accreditation authority in South Africa or indeed in the whole of Africa that governs the ethics and professionalism of Pen-testing. This allows anyone to set out their stall as an ethical hacker, and the market welcomes them with open arms due to the critical skills shortage in this area. However, that’s about to change!

NEWORDER, as an affiliate member of the Association of Certified Fraud Examiners South African Chapter (ACFE SA), has drafted a Pen-testing standard that is endorsed by the Association of Certified Fraud Examiners South African Chapter (ACFE SA). This standard is an industry-standard governing service rendered by companies and individuals within the Pen-testing realm. This standard provides any organisation seeking Pen-testing services with guidelines that potential providers must comply with.

Who is ACFE SA?

The Association of Certified Fraud Examiners South African Chapter (ACFE SA) is an official national chapter of the ACFE International. It is a recognised professional body for fraud examination practitioners in South Africa. The South African Chapter represents the Association of Certified Fraud Examiners, which is the world’s largest anti-fraud and white-collar crime organisation and premier provider of training and education in these industries. Its members are committed to reducing white-collar crime worldwide and inspiring public confidence and objectivity within the profession.

The Association of Certified Fraud Examiners South African Chapter (ACFE SA) objectives are to actively promote and develop the profession, its credibility, and the standards and quality of its members in South Africa. The Association of Certified Fraud Examiners South African Chapter (ACFE SA) upholds and supports the fundamental tenets of the profession, the Code of Ethics and the International Standards for the Professional Practice of the anti-fraud professional. The ACFE provides bona fide qualifications through the administration of the CFE International Examination, which is recognised as an NQF Level 7 qualification with SAQA. The CFE® mark asserts that the anti-fraud professional has met stringent qualification and competency requirements and adheres to an uncompromising code of ethics and professional standards.

The ACFE SA Forensic Standard Forum

The Pen-testing standard developed by NEWORDER is governed by the Association of Certified Fraud Examiners South African Chapter (ACFE SA) Forensic Standard Forum, which aims to standardise scientific methodologies used in forensic investigations. The Association of Certified Fraud Examiners South African Chapter (ACFE SA) Forensic Standard Forum was created for the following reasons, amongst others:

  • Create public confidence
  • Create public awareness
  • Provide member guidance
  • Better regulate the specialised profession
  • Create awareness of specialisation fields
  • Provide practice notes once the standards have been finalised

The Forensic Standard Forum develops Standard Practices to improve the consistency and comparability of practice amongst Certified Fraud Examiners performing investigative and other engagements in their area of expertise. The Standards set the minimum requirements, aim to be inclusive and serve the public’s best interests.

NEWORDER worked closely with the Association of Certified Fraud Examiners South African Chapter (ACFE SA) Forensic Standard Forum over the past years to establish a Pen-testing standard that is relevant, rigorous, highly professional, and scientifically robust. The purpose of the Pen-testing discipline, according to the Association of Certified Fraud Examiners South African Chapter (ACFE SA), is to set out the minimum education, technical training in Pen-testing, experience and knowledge required and to provide companies and individuals providing Pen-Testing services with an additional industry endorsement of ethics and professionalism.

What you can expect from a Pen-tester who adheres to the ACFE SA code

Any member of the Association of Certified Fraud Examiners South African Chapter (ACFE SA) offering Pen-testing must comply with the Pen-testing Code of Conduct and undertake to:

  • Behave honestly and with integrity
    • Diligently execute the job description
    • Execute any function or instruction only by way of lawful interactions and/or conduct
    • Promote and uphold the good corporate reputation of all stakeholders
    • Treat both internal and external clients with professionalism and respect
  • Never take improper advantage of inexperience, lack of education, youth, lack of sophistication, language barrier or ill health of any client
  • Disclose and take reasonable steps to avoid any conflict of interest
    • Not provide false or misleading information in response to a request for information from any of the key stakeholders
    • Promote public confidence in the organisation and all its stakeholders through fair and conscientious dealings, refraining from any deceit, misrepresentation, wilful nondisclosure, undue influence or other harmful practice
  • Never seek personal gain or make any secret profit, acquire any financial interest or benefit in any matter entrusted to them
    • Submit a detailed report after the services delivery
    • Professionally discuss findings with clients
  • Comply with the existing prescribed national and international ethics standards for the discipline
  • Liaise with role players in law enforcement and intelligence agencies, where necessary
    • Assist with preparing cases for clients, where necessary
    • Provide evidence at disciplinary hearings and in criminal/civil courts, where necessary

They must also comply with all relevant legislation, including the Cybercrimes Act 2020, signed into (partial) effect in December 2021 by President Cyril Ramaphosa.

John Doe

Trust NEWORDER for your Pen-testing

When we carry out a penetration test, we probe your systems for common vulnerabilities that are exploitable, in the same way an actual malicious attacker would, and test your IT team’s response. And we do so to the highest standards and ethics as enforced by the Association of Certified Fraud Examiners South African Chapter (ACFE SA).

Secure your network now. For information on Pen-testing and the NEWORDER full range of Information Security and Cyber Security services, contact us today for a no-obligation discussion.