When safeguarding an organization against the threat of cybercrime, it’s important to regularly test how well your current security measures are performing. I recommend that organizations apply a regular schedule of the right tests to help them identify, prioritize and repair vulnerabilities that may threaten their security.
Vulnerability Scans do not Equal Penetration Tests
There are a range of offensive security services that test an organization’s defenses. Among these are automated vulnerability assessments and penetration testing. These services are often not clearly defined by those who offer or procure them – which creates confusion. I often speak with clients who have purchased an automated test from a vendor that called it a ‘penetration test.’ These two services, however, are very different in the complexity and depth of vulnerabilities that they test, in the talent required to execute them and in the report that will ultimately be delivered.
Vulnerability Scans /Assessments
The goal of a vulnerability scan or assessment is to take an immediate and broad, yet shallow, look at the potential vulnerabilities across the organization. This is accomplished using an automated scanning tool, operating from a list of publicly-known vulnerabilities and a list of network addresses that are to be targeted.
The scan is launched by an individual trained in using that tool, resulting an automatically-generated report. While the report contains a list of potential vulnerabilities that have been identified, it does not provide further exploration into how those vulnerabilities impact business operations. Vulnerability assessments also do not show multiple vulnerabilities which could be exploited in depth to harm an organization. It simply isn’t in this service’s scope or capability.
True Penetration Tests
The purpose of a penetration test is to identify and intensively test a set of vulnerabilities in an organization that can lead to a compromise by a real attacker, in a real-world scenario. This might sound like the same goal as a vulnerability assessment, but the difference lies in its complexity, level of verification, and depth of compromise.
By attacking the network just as a real advanced threat group would - with human talent driving the decision making and execution - penetration testing will more exhaustively test more attack surface than an automated tool using a list of vulnerabilities. It will emulate real-world situations with the goal to uncover issues before a real malicious attack hits the organization. The goal is to empower IT staff with actionable knowledge of what real threat groups will see in the organization.
A true penetration test is only useful if executed by a team of specialists that have undergone extensive training in the techniques and tactics used by real attackers. The deliverable is a narrative report that describes the progression of attacks against the organization. It should be condensed to represent verified and actionable items for the organization’s IT security staff. It is important to have a third party conduct this test, as it is economically infeasible to maintain full time staff with this level of advanced training and expertise, and difficult for IT staff to creatively explore vulnerabilities within their own deployments.
Know What You Are Buying
When penetration testing is performed by humans emulating the persistent, aggressive actions of true attackers, the results far exceed what most of today’s vulnerability scans and assessments provide. There is a place for both – as long as you know what you are getting.
Part 2 Coming Next Week
There is much more to this topic that I would like to address. Next week, I will discuss how vulnerability scans produce false positives and false negatives. Part 3 of this series will cover how organizations’ ‘Internet of Things’ can create surprising open doors to malicious attackers.
For weekly insights into cybersecurity, please sign up here: