Pages

Saturday, November 8, 2014

Vulnerability Assessments and Penetration Tests: The differences and why you need both

It’s 2014. There is so much data out there. How much are you responsible for? If you own data and it rests under your control you are at risk, it’s as simple as that. What are you actively doing to mitigate those risks or report on them? Two very important additions to any security planning would be Vulnerability Assessments and Penetration Tests. While both can teach you a lot about the weak spots in your infrastructure they are both equally different and important.
A Vulnerability Assessment (VA) will show you all of the places on your network that are susceptible to attack due to improper configuration, missing patches, or unsupported software. You should expect to end up with a list of vulnerabilities listed from most to least critical. This list will help you prioritize items that need remediated in your network and applications. Common findings include missing windows or adobe/java patches, insecure passwords, improper IIS/apache or SQL configurations. The report may also include recommendations on network changes including restructuring and segmentation.
 Many different organizations are required to have VAs from Approved Scanning Vendors (ASV’s) to be considered compliant. PCI DSS, HIPAA, & SOX are some of the standards that require compliance, depending on your business model you may fall under one or more. With a little work, running your own VA scans are something that should be done. While running them yourself doesn’t qualify towards compliance, it is still a good idea to perform tests between ASV’s coming out on site. Some of the most popular scanning packages are Nexpose, Nessus, Qualys, and Burp Suite. With a little research and the approval from your organization you can go a long way with preventative steps between VAs.
A Penetration test (pentest) is a simulation of an internal or external (or both) attack on your network. There is usually a goal in mind, like accessing a company database, modifying or capturing files, or accessing key infrastructure. The deliverable for this test would be a report of how your system was breached, what was able to be accessed, and what can be done to remediate. If something shows up on a Vulnerability Assessment, it can be used by an attacker in some fashion. One other thing that can be leveraged during a pentest is probably one of the weakest elements in your organization, the human element. Things such as phishing (fake emails) , pretexting (fake calls) , tailgating (following people into secure areas), and the like can be used to gain access to areas or systems that don’t even have a technical vulnerability. 
You can consider a Penetration Test like a fire drill compared to the Vulnerability Assessment which is more of a building inspection. While both are giving you a better look into the security of your network they are equally different and important. If you haven't yet, I highly suggest contacting an information security company and scheduling one. 

No comments:

Post a Comment