Often, when speaking to many organizations, I often hear confusion about Pen Testing, ie: what it is, how it differs from vulnerability assessments and what are the best use cases. I’ve decided to write this blog in the hopes of helping my customers better understand these differences and use cases of each.
The cyber threat environment is dynamic and constantly evolving. There are new vulnerabilities discovered on a daily basis. Attacks are getting more sophisticated – they’re getting more complex and flying under the radar of traditional detection technologies.
An organization’s environment isn’t static either. Companies introduce new network equipment, bring in new people, engage with new third-party vendors, etc., and security needs to be a consideration with every change made. That’s why cybersecurity has to be a managed process, where companies need to be constantly evaluating, remediating, and tracking what’s working and what’s not.
Regularly testing your environment from both an internal and external perspective should be an integral part of your evaluation process including performing vulnerability assessments and penetration tests.
Unfortunately, there is a misconception that these engagements are synonymous. It’s common to hear the terms used interchangeably, when in reality, they are very different engagements.
It’s imperative that you understand the differences between them, so you can select which is most appropriate for your organization at any given time. Here are four distinctions to be aware of.
The objective of a vulnerability assessment is to identify known weaknesses in your environment. It can provide you with important information, including unapplied patches, vulnerable software versions, and gaps in network controls, like firewalls.
A pen test simulates a real-world attack and tests your existing defensive controls. It goes beyond identifying vulnerabilities, by attempting to exploit found vulnerabilities and performing manual testing to gain access to systems/sensitive data. Manual testing routinely finds vulnerabilities that automated tools are incapable of finding.
Vulnerability assessments are primarily performed using automated scanning tools such as Nessus, Qualys, or OpenVas, which are off-the-shelf software packages.
A comprehensive pen test is mostly a manual process (although an automated vulnerability scan is often performed during the reconnaissance phase of a pen test). There are commercial tools for pen testing, including Metasploit and CoreImpact, however skilled pen testers will often write their own exploits as needed.
Following a vulnerability assessment, you are typically provided with a list of known vulnerabilities found during the scan, prioritized by severity and/or business criticality. A standard scanner report could be hundreds of pages and will likely include false positives. Some third-party vendors, like Sage, provide a more consolidated report that’s easier to navigate and is focused more on its practical use and not on the sheer number of vulnerabilities reported.
Results from a pen test will also provide information on vulnerabilities, ranked by severity, with remediation recommendations, however it will also include the steps taken to exploit a vulnerability. At CCSI, our reports provide the steps we took or examples used to exploit the vulnerability, so you have all the details on how an attacker could breach your defenses. We can also provide an action plan for you to use to assign and track the individual findings until the risk has been remediated.
Because testing is mostly automated very little skill is needed to perform a vulnerability assessment.
When it comes to pen tests, the experience, training, and expertise of who is performing it is directly linked to the value the results will provide you. Continuous education is a fundamental element of ensuring quality testing and there are several professional credentials for pen testers including Offensive Security Certified Professional (OSCP), GIAC Web Application Penetration Tester (GWAPT), and GIAC Exploit Researcher and Advanced Penetration Tester (GXPN).
Pen Test vs. Vulnerability Assessment: Which is Right for my Organization?
In short, both are critical components of a threat and vulnerability management process, but in certain cases one may be more appropriate than the other.
A vulnerability assessment delivers breadth over depth. It tells you where some of your weaknesses are and how to fix them. Vulnerability assessments are ideal for periodic testing between penetration testing engagements and as a quick verification & sanity check when changes are made to the environment. A targeted vulnerability assessment can be run when a new critical vulnerability is announced to identify the organizations exposure. Organizations just getting started thinking about cybersecurity or with a developing cybersecurity program that would like to get a basic understanding of their current vulnerabilities could start their program off with vulnerability assessments.
In contrast, a pen test delivers depth over breadth. It tells you if someone can exploit your weaknesses to break in, and if so, what information they can access. It is suited for organizations that are compliance-driven, are high-value targets, or have a mature, integrated cybersecurity program. Pen tests should be performed at least annually and any time significant changes are made to your environment.
A closer look at Penetration Testing
Penetration testing is a type of security testing that is used to test the insecurity of a Company Environment. Whether it is an application or a network environment, it also attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. If a system is not secured, then any attacker can disrupt or take authorized access to that system.
There are various types of Penetration testing:
- PCI Penetration Testing
- Network Penetration Testing
- Application Penetration Testing
- Wireless Penetration Testing
- Infrastructure Penetration Testing
Penetration testing is an essential feature that needs to be performed regularly for securing the functioning of a system. In addition to this, it should be performed whenever:
- Security system discovers new threats by attackers.
- You add a new network infrastructure.
- You update your system or install new software.
- You relocate your office.
- You set up a new end-user program/policy.
Many clients have incorrect assumptions about penetration testing. They often schedule this type of project under false expectations, such as:
- After a penetration test, the company will be safe.
- A penetration test will find all of my vulnerabilities in its environment.
- A single penetration testing is enough for future business.
Companies who do penetration tests for these reasons do not get the real benefits of this service, and practically they will face disappointing outcomes in the future.
Every business works in a different way, and the value of conducting a penetration test varies in each case. Some businesses might manage IT security in a different way than others, and therefore a penetration test might be relevant in different ways. However, it is possible to find some common ground, which will almost certainly apply to every organization.
The question is what are the real benefits of penetration testing for a company? Here are the common benefits of penetration testing.
Manage the Risk Properly
For many organizations, one of the most popular benefits of penetration testing is that it will give you a baseline to work upon to cure the risk in a structured and optimal way. A penetration test will show you the list of vulnerabilities in the target environment and the risks associated with it. A high order evaluation of the risk will be performed so that the vulnerabilities can be reported as High/Medium/Low-risk issues.
The sequence of the risk will help you to tackle the highest risks first, and then others.
Increase Business Continuity
Business continuity is the prime concern for any successful organization. A break in the business continuity can happen for many reasons. Lack of security loopholes is one of them.
Insecure systems suffer more breaches in their availability than the secured ones. Today attackers are hired by other organizations to stop the continuity of business by exploiting the vulnerabilities to gain the access and to produce a denial of service condition which usually crashes the vulnerable service and breaks the server availability.
Protect Clients, Partners, and Third Parties
A security breach can affect not only the target organization but also their associated clients, partners and third parties working with it.
However, if company schedules a penetration test regularly and takes necessary actions towards security, it will help professionals build trust and confidence in the organization.
Helps to Evaluate Security Investment
Penetration testing helps take a picture of the current security posture and an opportunity to identify potential breach points.
The penetration test will give us an independent view of the effectiveness of existing security processes, ensuring that configuration management practices have been followed correctly.
This is an ideal opportunity to review the efficiency of the current security investment. What needs to be improved and what is working and what is not working and how much investment needed to build the more secure environment in the organization.
Help Protect Public Relationships and Guard the reputation of your company
A good public relationship and company reputation are built up after taking many years struggle and hard work and with a huge amount of investment. This can be suddenly changed due to a single security breach. The viewpoint of the public for an organization is very sensitive to security issues and can have destructive consequences which may take years to repair. So if a proper penetrating test is conducted on a regular basis, we can create a strong wall for the unauthorized attackers who always tried to penetrate and gain the access in any organization.
Protection from Financial Damage
A simple breach of the security system may cause millions of dollars of damage. Penetration testing can protect your organization from such damages.
Comply with Regulation or Security Certification
PCI DSS addresses penetration testing to relevant systems performed by qualified penetration testers.
The compliance section in the ISO27001 standard requires managers and system owners to perform regular (After every six months) security reviews and penetration tests, undertaken by competent testers.
Helps to tests cyber-defense capability
During a penetration test, the target company’s security team should be able to detect multiple attacks and respond accordingly on time. Furthermore, if an intrusion is detected, the security and forensic teams should start investigations, and the penetration testers should be blocked and their tools removed.
The effectiveness of your protection devices like IDS, IPS or WAF can also be tested during a penetration test. Many of the attacks should be automatically detected, alerts should be generated, and dedicated people should act according to the company’s internal procedures.
Pen tests are an effective way of ensuring that successful highly targeted client-side attacks against key members of your staff.
Security should be treated with a holistic approach. Companies only assessing the security of their servers run the risk of being targeted with client-side attacks exploiting vulnerabilities in software like web browsers, pdf readers, etc. It is important to ensure that the patch management processes are working properly updating the operating system and third-party applications
Author Bio: Larry Bianculli is managing director of enterprise and commercial sales at CCSI. He has 20 plus years experience in the IT Industry helping clients optimize their IT environment while aligning with business objectives. He is a cyber security consultant and holds a CCIE and CISSP. He has a vast experience in many verticals including Financial, Public Sector, Health Care, Service Provider and Commercial accounts. He has helped customers and lead teams with a balanced approach to strategy & planning, execution, and personal principles.