Vulnerability Assessments vs. Pen Testing: Walk before you runAlex Fields
Sales people are some of my favorite people in the world. They make me laugh out loud almost every day. The company I work for offers a few different flavors of network & security assessments for small to mid-sized businesses, but we do not offer penetration testing. Still, I occasionally run across a customer who thinks they are getting “pen tested.” I don’t know for sure, but I assume this phrase is being thrown around because it sounds cooler than “assessment,” but there is a difference.
The most basic level of security assessment I do is the “vulnerability” assessment. The whole point of this assessment is to find as many vulnerabilities as possible, so that they can be patched or fixed. A vast majority of small businesses need this kind of general “clean-up” effort, before they are ready for anything more advanced, like risk assessments or pen testing. The assessment is performed by scanning for known vulnerabilities, both from the inside (on the local LAN) and outside the network (scans against the perimeter).
Additionally, we may look for the presence of basic network topology/design features, and certain other best practices & procedures. This is a “pass/fail” sort of thing. Either you have a patch management solution in place, or you don’t. Not surprisingly, without one, you are more likely to have many more vulnerabilities.
Compliance-based “Risk Assessments”
Compliance is another animal, because here we are trying to determine risk as it relates to a specific type of information, within a specific framework of “rules” governing the storage, transmission & use of that information. For example, financial data, health protected information (HIPAA), and so on. Sometimes there are methods of calculating risk in terms of actual dollar amounts in these assessments.
Generally speaking, in Risk Assessments we see a set of rules or “guidelines” that you are trying to meet, so there will be more questions to do with process & procedure, how information is handled, both digitally and physically. How the physical work spaces are laid out, and so on. How is access to physical & digital assets granted, terminated and managed in between? And of course, we are interested in things like active employee & vendor lists, truing these lists up against the Active Directory listing, etc., as well as encryption, and other items.
Another important thing to note here is that aligning yourself with the compliance blue-print doesn’t necessarily equal security, but it may nevertheless be an important component in your overall security strategy.
Here is the thing about pen testing: a penetration test determines whether an already established security strategy or defense is effective in preventing a specific type of breach or attack. So, unless you’ve already gone through vulnerability patching, risk assessments and establishing new procedures and monitoring/detection tools, this service probably isn’t for you.
In fact, if you have not developed a detection & response strategy first, then I can already predict the result of your pen test: it will be successful, and you will be pwned. There, I just saved you bookoo bucks in that once sentence. You’re welcome.
As I said, my employer doesn’t even offer this kind of thing (even though “pen test” does admittedly sound pretty cool), and with good reason: most every small business I’ve ever worked with had plenty of other lower-hanging fruit to tend to, without going for a full-on penetration test.
The other reason is, pen testing can be more effective/revealing/educational when left in a third party’s hands. In other words: have one party help prepare you for a pen test, have another party actually execute it.
Without specifically naming who, I can tell you that we have recently had a client, who had already gone through our assessment process and purchased our advance threat management services, undergo a third-party pen test. And, while the attacker was successfully able to gain access to and elevate privileges on the network, we were alerted in the process. Meaning that we knew when, where and how the breach took place. So in this case the pen test verified that we have an effective system set up (at least in regard to the types/methods of attacks carried out by the pen testers).
Walk before you run
I think the conclusions here are:
- Pen testing is not the same as a vulnerability assessment (which is different still from a myriad of other assessments, some of which I haven’t even mentioned here)
- If you are a small or mid-sized business then you very likely do not need a pen test, until you take your first baby steps with some other efforts, mentioned above
- And oh yes, you absolutely need to start taking security more seriously; 2017 has been a hugely alarming year, and I think it’s only going to continue heating up from here.
Remember that your goal should be to become more expensive to pursue. If you’re not even at the stage of managing for known vulnerabilities, then I have news for you: your company is low-hanging fruit for the cyber criminals. So get started from wherever you are, and if you have any questions about these topics, feel free to hit me up via the contact page. I’m here to help you and your clients/constituents.