Overview of pen tests and vulnerability scans
Organisations that implement ISO27001 or similar management standards are often required to perform various technical tests and reviews of their IT systems.
There is often confusion about the difference between vulnerability assessment and penetration testing. To understand it thoroughly, we should look at the broader context.
Why do we need to test vulnerabilities?
The objective of cybersecurity is to prevent a data breach and to keep attackers away. Attackers can have many different motives, but financial gain from the attack is one of the significant ones. So the attacker has to select the right target which they will be able to compromise and benefit from it quickly. They do the research, collect open-source intelligence and read the same blogs, cybersecurity forums and other online IT security sources as system administrators should be reading. Once a vulnerability is discovered and disclosed – the race starts – vendors to produce a patch, system admins to apply it, hackers to exploit unpatched systems. Therefore vulnerability management should be a process implemented in the organisation – it should be an ongoing process. Vulnerability assessment is a part of this process. So what is the difference between vulnerability assessment and penetration testing?
- Vulnerability (weakness) assessment is trying to discover and catalogue all known vulnerabilities (weaknesses), which may exist in the system. The source of weakness could be a software bug (which the vendor may patch), procedure weakness, internal control implementation weakness, etc. Essentially, any gap which can be exploited by an attacker is a vulnerability. It is not just what we can detect with a scanner. Read more about vulnerability assessment in this article.
- Penetration testing, on the other hand, assess can how realistic it is that an attacker could exploit this vulnerability; the assessor would use real-world methods and techniques to establish it. Read more about penetration testing in this article.
Look at the example – security tests at the software company
Imagine you are a software development company, and your software uses an internet-facing website which collects, process, and allows access to data.
You are facing some questions:
- Customers are asking if data is secure. How can we ensure data security?
- The board of directors want to minimise damage in case of an eventual data breach.
- Are implemented defences sufficient?
- Are we spending money on the right defences?
GDPR has introduced the concept of privacy by design and by default. By analogy, we could adopt the idea of cybersecurity by default and by design.
In our example, as a software development company, you do software testing.
- Is vulnerability testing part of it?
- What do you do when you detect a vulnerability, how is it handled?
- How do you establish the severity of the vulnerability – it should lead to appropriate prioritisation?
- What risks does your system face because of those vulnerabilities?
It will help to answer all the above questions in your Vulnerability Management Policy and procedures.
Also, it would be beneficial to address the following:
- How do you discover vulnerabilities, what techniques and tools should you use?
- Can you include vulnerability assessment as part of software testing, prelaunch tests, and ongoing maintenance of the production systems?
- What systems, applications, endpoints, API, web forms, servers require testing? You should decide about the scope of the test.
- How do you compare the results? Understanding the CVSS numbering and the attack vector is helpful. Read more on this here https://nvd.nist.gov/vuln-metrics/cvss#
- What is the frequency of the tests? We would strongly recommend including testing as part of the standard testing process.
- Who should be performing, reviewing, and designing the tests – is it is performed internally or is some of it done by an external consultant?
Vulnerability Management Policy
The above questions, along with others, should be answered in your Vulnerability Management Policy and procedures, which should be designed specifically for your organisation; there is no one size fit all.
- The first step is to establish a Vulnerability Management Policy and procedure, possibly as part of compliance standards like ISO27001, PCI DSS or Cyber Essentials.
- The second step is to involve a passive review, resulting in the plan for the active assessment.
- The third step is to an active vulnerability assessment, aiming at producing a list of potential weaknesses.
- The fourth step is to include a penetration test aiming at the validation of specific attacker objectives.
- The fifth step is to assess the risks of each of the vulnerabilities and assign relevant priorities. When working with RedBlue Global, you will receive a specific list of potential mitigation techniques relating to each of the vulnerabilities discovered.
- Discovery made during the vulnerability assessment and penetration testing should feed the organisation’s continual improvement cycle.
RedBlue Global can help you prepare your own vulnerability management approach and assist you with performing the tests. We would be happy to help you build up the necessary skills in-house to perform at least some of these activities, e.g. as part of system testing.