Simple Cybersecurity Hygiene

Penetration testing and vulnerability assessments differ both in terms of purpose, objectives, and the processes themselves. While they are both essential ingredients of an overall cybersecurity strategy, many of our first time customers don’t understand the differences or how they can be used effectively together.

Simply put, vulnerability scans and vulnerability assessments search the entire IT infrastructure for vulnerabilities, while penetration tests attempt to actively exploit those vulnerabilities along with general weaknesses in the IT infrastructure. The vulnerability assessment process can be automated and should run continuously, while penetration tests must, if comprehensive, be performed manually and executed by a skilled hacker on at least a quarterly basis. Each year since 2000, the number of reported vulnerabilities has been steadily rising. 2017 broke another record and logged more than 20,000 disclosed vulnerabilities.

These 20,000 vulnerabilities are not discovered twice a year so running a pentest twice a year or less frequently is like playing Russian roulette with more than one bullet. 

There are various software vendors who will cry foul here and complain that their technology can automate the penetration testing process, to which my response is … nonsense. Penetration tests can only be conducted by humans and the more nefarious the human is, the better it is for you. Until someone builds a non-rules based software product that can leverage artificial intelligence and machine learning to mimic the twisted mind of a clever hacker, the best you will get is an expensive rules or query driven testing tool that may flag known vulnerabilities in software present on your systems, which for my money is simply an extension of a vulnerability scan.

For vulnerability scans, there are a variety of open source tools available that IT teams can use to validate that new hardware and software is at current patch levels and have the appropriate certificates, protocols and services in place before deployment. When run on a regular frequency, they can also be used to alert when unauthorized changes like open ports or the addition of new services are made to the environment. Reconciling those changes against change-control records will determine whether the change was authorized or whether it was caused by a malware infection or a policy violation. 

But for organizations that have better things to do with their IT resources, there are several really good vulnerability assessment and management products and services available that run continuously in your environment and both alert on discovery requiring attention and generate tons of reporting that satisfy both your ability to defend your environment through proper cybersecurity hygiene and your ability to comply with every regulatory requirement in place today and those on their way in the near term.

The more advanced commercial solutions go beyond conventional version checking and provide capabilities like monitoring file integrity (FIM) which can fill an important role in critical security and compliance requirements. Having an effective FIM capability can detect a variety of changes resulting from compliance and change control violations, malware attacks and configuration tampering. It can also act as your last line of detection for complex and evasive rootkits or mobile code tampering. 

Some solutions use behavior-based testing instead of simple version rules to monitor the interaction of configuration settings, service availability, backported patches and other factors that can affect a secured host.

Whichever approach you consider, the key word is ‘continuous’. Using open-source tools is a great way to save money and maybe even satisfy some compliance requirements, but saving a few thousand a month and checking some boxes on the HIPAA forms will do you little good after you realize that your breach was caused by a vulnerability exploit in some code that was being reported to everyone who was running vulnerability management software … but not to you. Because you weren’t running a vulnerability management solution. 

You instead ran your open source scanner 3 months ago, didn’t find anything remarkable, sent a report over to the compliance people and called it a quarter. In the meantime, that pesky Jakarta Multipart parser in Apache Struts was reported with a CVE 10 vulnerability score, a fact about which you were blissfully unaware. Now, you need a new job. Not good. Bite the bullet. 

Penetration testing is quite different than vulnerability assessment, as it is a process that attempts to identify insecure business processes, lax security settings, or other vulnerabilities and weaknesses by acting exactly as a threat actor would in a breach scenario. Penetration tests are best conducted by an objective third-party rather than a member of your internal staff so that you can guarantee an un-biased view, avoid conflicts of interest and know that it is being performed by a professional hacker who is just as skilled as any real-life adversary.

And since 90% of data breaches have some sort of phishing or social engineering component involved (Verizon breach report), your pentest should include a social engineering campaign. Even with the best authentication processes, firewalls, VPNs, and network monitoring software installed, you are still wide open to a cyber-attack if an employee unwittingly gives away key information. Social engineering is the human side of penetration testing for network vulnerabilities. By means of phishing, vishing, and impersonation, a pen tester can mimic attacks that a malicious social engineer would use to attempt a system breach. 

We probably all know what phishing is, but many of our prospects don’t get vishing. Vishing, which is sometimes known as voice phishing or phone elicitation, is a social engineering attack vector rapidly growing in popularity. Vishing attempts are difficult to monitor and trace, and employees in customer service, sales and HR departments are highly vulnerable because their jobs require them to adopt an information sharing posture.

Depending on the scope of work, penetration testers can also include fake employment attempts at your company to establish a pretext and elicit more useful information to assist in their attack. 

Regardless of the extent to which you are able to invest in a social engineering campaign, without testing those weaknesses, you will never understand your vulnerabilities on the employee gullibility front and won’t know how to address them with awareness training and education.

Your friendly hacker should have a current depth of knowledge about attacker techniques and an expert understanding of network engineering along with a willingness and even a sense of glee in discovering and demonstrating exactly how vulnerable your IT environment happens to be.

The purpose of the vulnerability assessment reporting is to identify and rank the vulnerabilities detected so that you may prioritize and begin to take remedial action. Because your assessment may produce a large set of vulnerabilities and since the results and scores are based on objective measures, it’s important to determine your organization’s business and infrastructure context. After evaluating your staff’s capabilities and workload, you may be better able to determine which infrastructure vulnerabilities should be targeted first and most aggressively. Not every vulnerability will lead to a breach.

The purpose of the penetration test report is to broadcast the really bad news, all of which will lead to a breach and require immediate attention. The report should describe the actual method of attack and each specific exploit discovered, focus on the information assets that could most easily be compromised and the specific actions that are required to remedy the vulnerability exploit opportunities.

In cybersecurity world, everything is weird but only one thing is guaranteed. Attackers will never stop trying to take advantage of vulnerabilities. As long as exploits exist, you will need a multi-tiered process in place to continuously find and remediate those vulnerabilities.

Continuous vulnerability assessments and regularly scheduled penetration tests are both important components of an effective cybersecurity defense strategy.

?By analyzing assessment and testing results in the larger context of overall business threat and applying that knowledge to the development of a sound cybersecurity strategy, IT executives can help their organizations make the most of their security budget while continuously strengthening their overall security and compliance posture.