Vulnerability Assessments vs. Pen Testing: Walk before you run

Back to Blog
10Aug2017

Vulnerability Assessments vs. Pen Testing: Walk before you run

Sales people are some of my favorite people in the world. They make me laugh out loud almost every day.  The company I work for offers a few different flavors of network & security assessments for small to mid-sized businesses, but we do not offer penetration testing.  Still, I occasionally run across a customer who thinks they are getting “pen tested.”  I don’t know for sure, but I assume this phrase is being thrown around because it sounds cooler than “assessment,” but there is a difference.

Vulnerability Assessments

The most basic level of security assessment I do is the “vulnerability” assessment. The whole point of this assessment is to find as many vulnerabilities as possible, so that they can be patched or fixed.  A vast majority of small businesses need this kind of general “clean-up” effort, before they are ready for anything more advanced, like risk assessments or pen testing.  The assessment is performed by scanning for known vulnerabilities, both from the inside (on the local LAN) and outside the network (scans against the perimeter).

Additionally, we may look for the presence of basic network topology/design features, and certain other best practices & procedures. This is a “pass/fail” sort of thing. Either you have a patch management solution in place, or you don’t. Not surprisingly, without one, you are more likely to have many more vulnerabilities.

Compliance-based “Risk Assessments”

Compliance is another animal, because here we are trying to determine risk as it relates to a specific type of information, within a specific framework of “rules” governing the storage, transmission & use of that information. For example, financial data, health protected information (HIPAA), and so on. Sometimes there are methods of calculating risk in terms of actual dollar amounts in these assessments.

Generally speaking, in Risk Assessments we see a set of rules or “guidelines” that you are trying to meet, so there will be more questions to do with process & procedure, how information is handled, both digitally and physically. How the physical work spaces are laid out, and so on.  How is access to physical & digital assets granted, terminated and managed in between?  And of course, we are interested in things like active employee & vendor lists, truing these lists up against the Active Directory listing, etc., as well as encryption, and other items.

Another important thing to note here is that aligning yourself with the compliance blue-print doesn’t necessarily equal security, but it may nevertheless be an important component in your overall security strategy.

Pen Testing

Here is the thing about pen testing: a penetration test determines whether an already established security strategy or defense is effective in preventing a specific type of breach or attack.  So, unless you’ve already gone through vulnerability patching, risk assessments and establishing new procedures and monitoring/detection tools, this service probably isn’t for you.

In fact, if you have not developed a detection & response strategy first, then I can already predict the result of your pen test: it will be successful, and you will be pwned. There, I just saved you bookoo bucks in that once sentence. You’re welcome.

As I said, my employer doesn’t even offer this kind of thing (even though “pen test” does admittedly sound pretty cool), and with good reason: most every small business I’ve ever worked with had plenty of other lower-hanging fruit to tend to, without going for a full-on penetration test.

The other reason is, pen testing can be more effective/revealing/educational when left in a third party’s hands. In other words: have one party help prepare you for a pen test, have another party actually execute it.

Without specifically naming who, I can tell you that we have recently had a client, who had already gone through our assessment process and purchased our advance threat management services, undergo a third-party pen test. And, while the attacker was successfully able to gain access to and elevate privileges on the network, we were alerted in the process. Meaning that we knew when, where and how the breach took place. So in this case the pen test verified that we have an effective system set up (at least in regard to the types/methods of attacks carried out by the pen testers).

Walk before you run

I think the conclusions here are:

  1. Pen testing is not the same as a vulnerability assessment (which is different still from a myriad of other assessments, some of which I haven’t even mentioned here)
  2. If you are a small or mid-sized business then you very likely do not need a pen test, until you take your first baby steps with some other efforts, mentioned above
  3. And oh yes, you absolutely need to start taking security more seriously; 2017 has been a hugely alarming year, and I think it’s only going to continue heating up from here.

Remember that your goal should be to become more expensive to pursue. If you’re not even at the stage of managing for known vulnerabilities, then I have news for you: your company is low-hanging fruit for the cyber criminals. So get started from wherever you are, and if you have any questions about these topics, feel free to hit me up via the contact page. I’m here to help you and your clients/constituents.

Business, Opinion , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

15Apr

We need “MDATP Lite,” not full MDATP, in order to complete Defender’s value proposition in the SMB–and this is what it looks like

TL;DR: Just give me the device risk level with a description of "why" so I can follow up with potentially at-risk users. You can keep Advanced Hunting, etc. So many people I talk to in the SMB community think that they want MDATP. Well, it is... read more
26May

Migration path from SBS to Office 365 & Windows Server 2016

So many small businesses adopted Microsoft's Windows Small Business Server (SBS) product--now that the product has been discontinued, these organizations tend to need a little more guidance regarding the migration path forward from SBS 2003, 2008 or 2011. Do I still need an On-premises Windows Server? With the option to... read more
04Mar

Migration paths to Microsoft 365: Devices before data??

I have literally written the book on this topic, but one question I did not directly address is the order in which you might migrate the various workloads from traditional infrastructure to Microsoft 365. First, just know that you can tackle your migration in whatever order... read more
Why Not Set Up a Retention Policy Today?
03Mar

Why Don’t You Have a Retention Policy In Place Yet?

Most SMBs I consult with have never configured a retention policy, or indeed, they are not even aware of the retention capabilities in Microsoft 365. In general, Information Governance is one of those areas that simply does not get the attention that it deserves, especially... read more
25Apr

Knowledge is Power: What does it mean?

Knowledge is Power. Everyone knows that. But not all forms of knowledge were created equally. The same is true of the corresponding power. There are many different shades of knowledge in life, and we do not always distinguish among them in common everyday discourse. However, in most... read more
22Dec

Reader question: Do you recommend Defender in place of third-party antivirus or security tools?

It feels like it has been a while since I addressed a reader question on the blog. This is one I get frequently, all the more so in recent months since Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) became available as a standalone subscription... read more
10Apr

What is the biggest opportunity for IT Service Providers and Consultants today, in light of COVID-19?

I got this question from a reader named Rob the other day. The full question is actually a bit more detailed and revealed a lot more about the author of the question--so I've only included an abridged version that pulls out the heart of the... read more
17Jul

The new and confusing Microsoft 365 SKU’s

I have written one post on Microsoft 365 (Business edition) so far. And I haven't had as much time to continue playing with it as I like. But, here is what I can tell you: the literature out there on these SKU's can be confusing,... read more
18Jan

Certification vs. Qualification

I hold several certifications in my field of expertise: a number of Microsoft certifications, as well as Cisco, WatchGuard, IBM and other technologies.  Before all of that happened, I also earned my bachelor’s in mathematics and philosophy from University, as well as a shiny Master’s... read more
02Mar

It’s all about your downtime tolerance

Before you go picking the cheapest possible IT solution that meets your business requirements, or on the other side of the equation, adding unnecessary complexity to your network, you first need to consider: What is your downtime tolerance? If you don't answer this critical question,... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me