As we wind up this tumultuous year, we all know one thing for certain. It is a dangerous world out there. And while our eyes are on just so many threats these days, it is now more important than ever for businesses to ensure their data safety and systems security. Penetration Testing and Vulnerability Assessments are two key functions in shoring up your cybersecurity.
While similar, Penetration Testing and Vulnerability Assessments serve two different, albeit congruent, roles in your organization’s cyber safety.
A Penetration Test or Pen Test, also referred to as ethical hacking, essentially simulates a cyberattack on your organization’s technology and defense capabilities by actively seeking to exploit weaknesses within your standard busines processes. As the name implies, it essentially answers the question of how deep bad actors can make it into the system, pinpoints loose security settings and identifies at-risk business processes. Pen Test reports are then generated, specifically identifying the data that has been exposed to threat. The level of risk is commonly ranked on a scale of Critical, High, Medium, Low and Informational.
As you might assume, those Critical and High issues need to be addressed swiftly, as left unchecked, they are effectively giving those bad actors a lit match to burn down your entire organization – or at least, stop you in your tracks. Pen Testing is an incredibly powerful and invaluable tool that requires substantial industry expertise – and to be honest, I still find it a really cool part of our suite of cybersecurity solutions.
Pen Tests should be conducted once or twice a year or whenever your system makes substantive upgrades.
Vulnerability Assessments scan your systems for potentially exploitable software, service or configuration vulnerabilities. By detecting and identifying these systemic weaknesses, they can be remediated to prevent an adversary (or even a Pen Test) from succeeding to exploit them. The resulting reports list exposed vulnerabilities and are rated based on risk similar to those of Pen Testing (again, Critical, High all the way to Informational).
The report should also consider trends from a baseline measure such as whether the number of findings are:
Trending down – which denotes improvement
Trending up – which is likely a concern
Recurring – meaning they are not being resolved in a timely manner
New – suggesting that the team is on top of patching and configurations, and that these new vulnerabilities largely stem from recently discovered bugs in vendor software
At a minimum, vulnerability scanning should be conducted quarterly; however, it’s ideal to do it monthly and in sync with your patching process and maintenance windows. Vulnerability scanning can often be handled by in-house security teams rather than requiring a cybersecurity expert. But it is important to be reasonable to in-house bandwidth and expectations, as sometimes internal teams are pulled into other activities, causing scanning lapses. The good news is, vulnerability scanning is one of several services that are very reasonable to outsource, which ensures assessments are run consistently and effectively.
When vulnerability assessments are turned into a process and integrated with patching process and configuration management, we call it Vulnerability Management. Within the management methodology, the findings, or weaknesses, are not only identified in a report but then also tracked and addressed in a structured manner.
More mature organizations may evolve the process further by mapping out paths or threat vectors that an adversary could leverage to exploit these weaknesses, then determine if there are detective or protective controls along the path. For example, a missing patch on a laptop could be exploited through an attachment in an email, unless there is something that can detect and stop that threat, such as antivirus and anti-phishing software.
A further evolved process will include intelligence about potential threats that exist that might become a concern for the company. When the process is aligned in this manner, cradle to grave, it is often referred to as Vulnerability and Threat Management, although the processes may operate more independently.
The short answer is, probably both.
Both Pen Tests and Vulnerability Assessments are crucial components of almost every smart, comprehensive cybersecurity strategy. Some industry standards, and even laws, require Pen Testing and/or Vulnerability Assessments be preformed on a standard schedule, often meaning annually or quarterly, depending on the regulatory entity’s compliance requirements.
Even if you are not required by regulation to run these tests, any business that gathers and utilizes data must consider not only their own operational interests, but also their moral obligation to maintain the security and privacy of their customers’ data. Simply stated, lax security and vulnerabilities are just allover bad for business.