When is it Time to Start Vulnerability Assessment and Penetration Testing?
Obviously, in the wake of data breaches, businesses must switch from reactive to proactive measures. Vulnerability assessment, complemented with penetration testing, are the two practices you should consider as part of your cybersecurity toolkit.
What is Vulnerability Assessment, Vulnerability Management, and Pentesting?
A vulnerability assessment is a process that helps to identify the security “holes” in business systems and then prioritize those in terms of risk. It is a project and a one-time project at that. Most businesses contract with an outside IT security consultant who, through the use of various vulnerability assessment tools, will perform a full review of a corporate environment and earmark all of the potential risks. In the end, there will be a vulnerability testing report that identifies a business’s threats and the recommendations for remediation. The report constitutes the termination of the assessment.
Vulnerability management is an ongoing process or program aimed at managing a company’s vulnerabilities on a continuing basis. Standard vulnerability management provides for vulnerability monitoring that goes beyond just the initial assessment activity and supports a process designed to strengthen an organization’s defences against breaches on a continuous basis.
A vulnerability scan is usually a part of a vulnerability assessment. It is performed by a program that provides automated vulnerability scanning, finding “holes” in servers, networks, or infrastructure. In fact, it’s highly important to conduct comprehensive scans for your systems as, for instance, 73% of vulnerabilities in web applications originate from the network, not the app itself. Vulnerability scans are sometimes used after preventive measures have been put into place, to assess their effectiveness.
Penetration testing (also known as pentest) is a form of ethical hacking, usually done manually. Friendly hackers try to gain unauthorized access to some target. Pen testing usually occurs once vulnerabilities have been uncovered from scans. One common reason for this process is application penetration testing prior to launch so that vulnerabilities can be fixed up front, before deployment. Another common purpose is to schedule specific penetration testing steps on a regular basis in order to stay on top of any vulnerabilities that may occur because of major network changes or updates. Further, server penetration testing should always occur when there are changes or additions.
The Key Components of Vulnerability Assessments
The standard process of vulnerability testing includes a scan, identification of remediation tasks, and then a results analysis, to determine if those remediation efforts have been successful. Within this context, however, there is a multitude of things to look at.
Step 1: Business System and Operations Assessment.
The first is a deep understanding of the way a business is organized and currently operates at IT level. A risk assessment should tackle all the existing technological “links” between departments, on-premises and remote infrastructure and even external third-parties.
If third parties are provided access to systems and networks, what are their security measures? The massive data breach at Target occurred because of the vulnerability of a third-party vendor. Any large enterprise using third-party vendors would be well-advised to demand that vulnerability testing occurs on their systems too. Use of third-party POS system, for example, caused breaches at a number of fast-food restaurants in 2017, and the result was about 5 million credit/debit cards numbers up for sale on the black cyber market.
Your in-house systems should be subjected to vulnerability testing as well. Are staff able to use their company devices for personal purposes? If you have not put information security systems in place to block personal use of company devices, then vulnerability testing will point this out and make recommendations.
Another aspect of vulnerability is the employee’s usage of their own mobile devices, usually remotely, to access company systems, as they work from a variety of locations or as members of remote teams. In fact, a 2016 Trustwave Security Report stated that 95% of mobile apps they scanned contained at least one vulnerability, with the median total being of 6.5 vulnerabilities per app. Any time an outside device accesses in-house systems and data, there can be a risk. Vulnerability testing will assess current security measures, identify holes and make recommendations for fixes.
Step 2: Prioritize the Targets of Vulnerability.
You have applications and data that contain sensitive information, e.g. your ERP system hosted on-premises or in the cloud. And you have both physical and virtual servers that run those applications and store that information.
Additionally, there can be “hidden” sources of data that you don’t think about – access to that data by remote devices, for example. Here is where strong vulnerability testing consultancy can come into play. Experienced specialists will start with asking the right questions so that testing will prioritize and run those scans that are most critical.
Step 3: Identify those Security Measures Already in Place.
You may have firewalls, encryption, virus detection software, etc., but have you really tested the efficiency of these measures? Vulnerability testing should address your current security measures as well to ensure that they are as bulletproof as you believe them to be.
Step 4: Time to Scan.
Once these pre-testing tasks are completed, it is time for the vulnerability scan. Experienced SysOps service providers should create a custom “toolkit” for your needs that will crawl every “crevice and cranny” of your systems and determine the weak areas.
Step 5: Remediation is Put into Place.
Post-testing you will receive a detailed report of the findings along with the further suggestions for addressing those vulnerabilities. You should proceed with the implementation. Are the fixes working? For this, penetration testing will be required.
Infopulse provided application security testing for ING Bank. In the wake of breaches in the financial sector, the client was particularly concerned with the security of its online services. Hence, we performed a full evaluation of the security risks related to its web applications and network services. Our team also provided vulnerability assessment, Black Box and White Box penetration testing.
What is Penetration Testing?
Once the assessment and remediation measures are put into place, it is time to analyze the success of those measures. This is where pentesting comes into play. This testing is critical, and yet, according to a report by Osterman Research, among 186 corporate IT professionals, 19% stated they do not security testing at all; only 25% consider themselves pro-active in terms of security testing.
Remember, the process involves a “friendly” hacker attempting to penetrate something that is now supposed to be secure. The most common practice is for the hacker to be provided access to the object (e.g., an application) that would normally be provided to a user within the company. Then, the hacker will attempt to penetrate further into the object, in order to insert a virus or to gain greater data/information that would normally be allowed.
There are other types of penetration testing too, dependent upon an organization’s need. In some instances, the hacker is provided absolutely no access to an object and must try to penetrate it, through a variety of means (e.g., loose password policies, personal use of company devices, remote use by non-company devices). Still, in other cases, the hacker may be given deeper access, including source code and can then provide a much deeper level of penetration testing.
The type of penetration testing an organization chooses may vary, even object by object, and it is often best to contract for vulnerability assessment services and pentesting with a professional organization that can provide a comprehensive vulnerability assessment based upon individual need. To receive a more comprehensive take on modern penetration testing, download our three-part guide next.
When Should Organizations Initiate Vulnerability Assessments?
There is no best answer to this question, but there are certain conditions, which would certainly warrant such a move:
- Any time a new application is developed and ready for launch.
- Any time data or infrastructure is moved to the cloud.
- Following a merger or acquisition in which servers, systems, networks and applications are also being acquired.
- Any time systems are updated or new assets acquired.
If you are looking at these circumstances and realizing that at least one applies to you, then the answer to the question “when” is “now.” In short, no organization is immune to vulnerability – in fact, as many who follow breaches state, it’s not a question of if, it’s a question of when. And the best defense is assessment, remediation, and testing of the results.
For instance, Bosch, an electronics manufacturing enterprise in Germany, is now actively expanding its embedded solutions line-up. Before they hit the market, the company wanted to make sure that there’s no security “loopholes” to exploit. Infopulse team was hired to conduct a comprehensive security audit of client-server solutions. Our team developed a strategy that included a full security assessment, a threat and risk analysis, and then conducted penetration testing of its embedded software, data, traffic, encryption, and more. You can read the complete case study with the results here.
In general, vulnerability assessments should be ongoing, and this is where a vulnerability management system should be in place. Assessments should be a continuous process, in order to maintain the highest level of security.
How to Unlock More Value from Vulnerability Assessments and Pentesting
The benefits of vulnerability assessment and pentesting cannot be ignored:
- You will identify security threats in a proactive way, rather than just react after the breach occurs.
- It will force you to create an inventory of all objects that may be at risk – software, apps, network configurations, devices, etc.
- Identify the level of risk so that priorities can be assigned.
To achieve those benefits, your company should consider taking the next five steps:
1. Identify all of the hardware and software assets in your business environment.
This includes all that has been migrated to the cloud or has been marked as “best candidate” for migration as well. A complete assessment must include every object you own.
2. Prioritize these assets according to the sensitivity of what they hold.
Personal and financial information of customers/clients, proprietary information, etc. List them from the most critical on down to the least.
3. Use the assessment tools that are best suited for your circumstances.
This can be a challenge, and it is at this point that executives and IT departments make the decision to use a reputable security services firm. They can evaluate the assets and select the right tools for each of those assets.
4. Quantify the level of risk that each identified vulnerability proses.
Again, this is often a task best left to the professionals. They will provide a risk score for each vulnerability.
5. Develop a plan to address (remediate) the vulnerabilities in an ordered and sequential manner.
Begin with the most sensitive and valuable assets that have the highest risk and move downward. Use remediation tools that will provide patches, new configurations, and debugging. Again, determining the best tools to use for each vulnerability may best be a task for a contracted IT security service.
Once the vulnerability assessment is complete, and the “fixes” have been put into place, it is time for penetration testing and the development of an ongoing vulnerability management program.
Conclusions
For organizations seeking to reduce security risks, vulnerability assessments and testing are where to begin. Risk management, however, is an ongoing challenge, and vulnerability management be an ongoing activity. This is the only way to stay ahead of the attackers who are on the offensive continually.
Infopulse offers a full range of IT security services, including vulnerability assessment, remediation, penetration testing, and vulnerability management being critical parts of our offerings. With our wide range of application and network vulnerability assessment tools, along with our expertise, we are able to provide customized solutions to fit any organization’s needs. Once these tasks are accomplished, we can devise a framework for continuous vulnerability management, so that risks are fully minimized and detected before any damage occurs.