One of the most important parts of a solid security program involves testing to see where your weaknesses lie. Continual improvement cannot be achieved without continual review. However, many people confuse the importance of vulnerability scanning with penetration testing. As a means of protecting an enterprise, one can never take precedence over, or replace the other. Both are equally important, and in some cases, they are suggested, if not outright directed by many standards and regulations.
Vulnerability Scanning vs. Penetration Testing
Penetration testing seeks to exploit a security gap, while vulnerability scanning checks for known exposures and generates a report that can be used for risk mitigation.
The decision to engage in a penetration test or vulnerability scan depends on various factors, such as scope, criticality of assets, and resources such as cost and time.
Penetration Testing
Penetration testing can reach far into an organization’s environment, both technically, as well as physically. One of the most important pre-engagement steps for a penetration test is to carefully consider and agree on the scope of the test. The various types of tests can extend far beyond the IT, or the information security teams.
Physical security testing is perhaps the most dangerous exercise, and it is vital to have fully documented C-Level support. Whether the physical perimeter is being tested, or if the goal is to prove that a person gained full access into an office space, the stakes can become highly hazardous if not carefully scoped. This can prevent any unintended consequences.
Technical penetration testing is equally fraught with risks to the tester. An innocently misdirected port scan can result in the tester running afoul of both State and Federal laws, such as the Computer Fraud and Abuse Act (CFAA, 18 USC 1030), which makes it a crime to access or attempt to access a computer or computer network without authorization or in excess of authorization. Penetration testing can also involve varying levels of notification to those impacted.
Testing can involve the entire infrastructure, or it could be conducted at an application or a particular network segment. While time and cost are usually strong determinants to what an organization will chose, it is always best to use a risk-based approach. This ensures that the correct assets are being tested, and for the correct reasons.
Vulnerability Scanning
Vulnerability scanning is the act of identifying potential susceptibilities in network devices such as firewalls, routers, switches, servers and applications. Vulnerability scans can be automated, making the task easier to scope, and safer for the tester. Acting as a detective control, it seeks to identify, without exploiting any of the discovered vulnerabilities. However, just because a scan can be automated, does not make it free of peril. In fact, a poorly planned scan can be as disruptive as an outright attack. In some cases, scoping a vulnerability scan project can often be a time of discovery. Many processes and other tasks take place outside of normal business hours, such as bank transfers, backup jobs, and production rollouts. These mission critical functions cannot be interrupted. Vulnerability scans can be run more frequently on any number of assets to verify that levels are consistent with the organization’s risk appetite.
Review, Remediate, and Mitigate – Then Begin Again
Once all the testing and scanning is complete, the most important task is to review the results, both with the test subjects, and the senior management of the organization. No matter how plain the language of the report may seem, it is important to restate it in language for a non-technical audience. The report should be converted into a grid that shows the finding, severity, remediation steps, mitigation steps, task owner, and deadline. This is where collaboration with the project management team becomes important to success. In the absence of a formal project manager, a spreadsheet can fulfill this purpose.
One of the most important columns to include in the grid is one that indicates a testing date after the initial correction of the problem, and a periodic retesting schedule. This serves two purposes. First, it decreases the likelihood of the problem recurring, and it acts as evidence of a repeatable and managed security approach.
Most industry guidance, and many regulations either suggest or prescribe security scanning and testing. Whether your organization follows the Center for Internet Security (CIS) Controls, NIST guidance, or if it must adhere to any of the enacted cybersecurity and privacy regulations, the need to continually evaluate security is ever-present. Make sure that penetration testing and vulnerability scanning are a regular part of your organization’s security practice.
