Confused about vulnerability testing and penetration tests and Red teams? I’m not surprised one bit.
These days, a growing number of information security experts use these terms interchangeably, as though they refer to the same thing. Whether it is due to apathy or a clear lack of understanding of the differences between these activities, security service providers are only confusing the matter by not informing their customers of what they get with each of these services. More importantly, they should be telling their customers what the do not get.
At the time of writing, two big privacy stories are dominating the technology headlines. Facebook continues to be tossed about like a seal in the jaws of an outraged public as part of a serious privacy debacle, while the brand new E.U. GDPR regulation is preparing to take its first steps into better protecting individual privacy.
These two issues alone are pushing a glut of companies to review their security policies and procedures. Ultimately, understanding the issues, the requirements and the definitions of the terms is key. The “Oops, I had no idea THAT’s what it meant…” argument just won’t fly if a horrible data loss incident befalls your organization.
So, for any of you out there who want to understand the differences and pros and cons to each of these activities, read on. Our hope is that this clarification piece will help you weed out the security practitioners who know their stuff from those whose main aim is just to close the deal.
Vulnerability assessments can be a very useful tool in the information security arsenal. Like traditional anti-virus, a vulnerability assessment is effectively automated scanning services being deployed across an environment. Its job is to scan for known vulnerabilities across many services, logging them so that an IT team can effectively and efficiently review the findings in the logs in order to plug any known holes.
Vulnerability assessments can also highlight configuration settings that may be cause for concern. Automated data will be fired at the target system across a number of of ports, protocols, and services. The system collates the findings, automatically highlighting potential areas of concern.
Running up-to-date vulnerability scans on a regular basis, be it monthly or quarterly, is recommended. Once the preparation work of selecting the correct test for your environments is complete, the actual running of these programs is not time-or resource- intensive, and the findings, if properly addressed, can reduce your overall digital risk posture.
To perform a Penetration Test correctly, you must have well-above-average cyber skills. Real Penetration Tests are not automated, push-a-button-and-sit-back-for-the-results exercises. Under the strictest of definitions, an organization will hire a penetration testing team to test specific attack vectors in order to understand how a system or procedure may be vulnerable to a modern attack.
Penetration testing is typically performed against a predefined number of targets provided by customers and is designed to test known exploits against known vulnerabilities. For instance, and Application Penetration Test against a predefined application could focus on specific weaknesses within a custom designed web application. In this example, this target is a single web interface and the vector of attack is a web browser connecting over a network.
A penetration test tries to exploit active weaknesses in a specific digital environment in the same manner any bad actor would. The point: test the vulnerability of the system under real life modern attack conditions and review the findings to establish whether current operating risk levels are acceptable (or not).
A typical exercise might be: What customer and prospect PII could an outside attack agent walk away with if they are targeting our cloud services.
In this instance, the penetration tester would create an attack strategy, decide on methodology, timing and tools. There may be elements of social engineering that are included to test how easily staff unwittingly part with sensitive information. Each proper penetration test is honed to a specific task.
This real-world testing of your systems continuously pokes and prods your network or application using a wide range of attack vectors, all without disrupting availability or business continuity.
Proper penetration testing services, where highly trained infosecurity hackers design cutting-edge attack methodologies specific to an organization’s requirements are more time and effort intensive, but the results can give you excellent insight into your defenses, from the attacker point of view.
So, anyone offering bargain-basement out-of-the-box penetration tests may actually be offering you an automated scan of your network/application or just the elements of a vulnerability test. You should always ask the service provider what percentage of testing will be conducted manually and what percent is automated.
With the rise in data breaches, ransomware, phishing attacks and security incidents, many companies today prefer to have more in-depth testing of their organizations overall security posture. For those organizations, Red Team Services would be the answer.
Red Teaming is an advanced offensive security service that mimics real-world attackers – from opportunists to nation-state actors. Red Team engagements focus not only on the obvious vector/target (web client/web application/network), but will also consider other direct and indirect attack methods such as using social engineering to gain access to valid user credentials, attacking adjacent systems (not just the web server), physical attacks against the office space, deployment of malware or conducting wireless networking attacks against a trusted office network.
A typical Red Team service is designed to test your posture over the period of a year, effectively mimicking attacker behavior. After all, bad actors aren’t limited to a 2 week, one time engagement, so why should you constrain your testing to that timeframe. This continuous testing of your organizations security posture provides the greatest assurances, giving early warning signs whenever anything suspicious or unusual is found.
Red Team engagements, done properly, are a sure-fire way to reduce your information risk level. When talking to an information security services provider ask they if they test all your attack vectors to ensure the organization as a whole is being tested or if they’re simply performing a penetration test masquerading as a Red Team.
Whether you prefer a combination of vulnerability scanning and periodical penetration deep-dives, or a full offensive security service like Red Team, optimizing your solution to best fit specific needs is what we do best.
If you need more information on how you can best protect your network, please get in touch. We’re here to help.