There is some confusion between what a vulnerability assessment accomplishes versus a penetration test. While both are critical in reducing cybersecurity attacks, a vulnerability assessment encompasses scanning the environment for anomalies within your IT environment. There are several software products that can be used to scan the environment and report on when changes have occurred and highlight those events that warrant further investigation, and scans should be performed regularly to ensure the environment is secured. When new equipment is deployed or changes in equipment occur, a vulnerability scan should be performed. It is a good practice to establish a baseline of key equipment to facilitate the review if there are any changes and to quickly identify any unauthorized changes. The scans can report on issues such as missing patches, and outdated protocols. Some organizations do not have the staffing to adequately monitor the scan reports and should consider having their outsourced IT provider perform this or contract with a cybersecurity company.
Penetration testing, also known as pen testing, security pen testing, and security testing, is a form of ethical hacking and requires expertise. It describes the intentional launching of simulated cyberattacks by “white hat” penetration testers using strategies and tools designed to access or exploit computer systems, networks, websites, and applications. Although the main objective of pen testing is to identify exploitable issues so that effective security controls can be implemented, security professionals can also use penetration testing techniques, along with specialized testing tools, to test the robustness of an organization’s security policies, its regulatory compliance, its employees’ security awareness, and the organization’s ability to identify and respond to security issues and incidents such as unauthorized access, as they occur.
As a simulated cyberattack, ethical hacking techniques help security professionals evaluate the effectiveness of information security measures within their organizations. The pen test attempts to pierce the armor of an organization’s cyber defenses, checking for exploitable vulnerabilities in networks, web apps, and user security. The objective is to find weaknesses in systems before attackers do. The results of the pen test can identify where you need more or better controls for monitoring, detecting and responding.
There are different types of pen test strategies that can be implemented depending on what aspect of the technology environment is being assessed and the reason why the pen testing is being done.
Web Application Pen Testing:
Web Application testing is essential to ensure your front-facing systems are protected. The test evaluates the security of a web application with Penetration Testing Execution Standards and, should use the OWASP standard testing checklist. Web application testing will check for application technology weaknesses, technical flaws, or other vulnerabilities, and should also test for any account takeover privileges through host header attacks.
Upon completion, a comprehensive report should be provided on the results and include recommended remediation actions where needed. Variations of pen tests can include:
- blind testing, in which the tester tries to simulate an attack without knowing much about the organization and only using publicly available information (i.e., domain name, company website, etc.) to target the organization.
- double blind testing, where only a few people in the organization know that a test will be occurring and can then assess how effective the organization’s security monitoring, escalation procedures, and incident and response protocols are working.
- target testing, which involves both the IT and testing teams work together to assess security vulnerabilities as well as incident and response protocols. This is also known as the “lights-turned-on” test.
External Pen Testing:
An external pen test involves performing a dynamic analysis of the organization’s network perimeter for any potential vulnerabilities, which may result from an inadequate or improper configuration, known and unknown software/hardware flaws, or operational weaknesses in processes and technical countermeasures. The analysis is carried out from the position of an advisory/hacker and involves active exploitation of vulnerabilities where the testing team attempts to compromise external and internal assets. All technology vulnerabilities should be analyzed against known CVE’s. Upon completion, a comprehensive report should be provided on the results and include recommended remediation actions where needed.
Internal Pen Testing:
Over seventy percent of attacks occur from inside the network. This number continues to grow with espionage, rogue employees, and social engineering at a high. The goal of an internal pen test is to determine the potential impact a security breach can have on your organization and validating how easy an attacker can maneuver or escalate your environment to overcome your security infrastructure. This is performed from within the organization. Upon completion, a comprehensive report should be provided on the results and include recommended remediation actions where needed.