Week 34: Vulnerability Assessment and Penetration Testing

This week’s article is around two types of security testing that should be part of your cybersecurity strategy – Vulnerability Assessment and Penetration Testing. While people often confuse the two, together they can help you achieve a more robust analysis.?

Before we delve into the key differences, it’s important that you understand vulnerability. NIST defines it as, “Weakness in a system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat”. Examples include misconfiguration and/ or poor data sanitization practices, that lead to SQL injection and/ or buffer overflow attacks.?

So, what is a vulnerability assessment?

It’s a systematic review to map, scan, and identify vulnerabilities within a certain environment. It’s used to determine the likelihood of known vulnerabilities exploiting the environment. In short, it aids in determining the security posture.?

Vulnerability scanners, which are automated tools, are used to scan for vulnerabilities in networks (i.e., internal and external), servers, applications, hosts, etc. Such tools require vendors to regularly update their plugins and datasets to discover the latest vulnerabilities. In addition, these tools should be deployed to scan the environment periodically (i.e., daily, weekly, or monthly), depending on the risk appetite, by a qualified and independent individual.?

(Note: You can review our article An Introduction to Risk Management here to understand how to deal with such situations ).

(Note: To learn about how to score vulnerabilities, please consult this link).

To learn about building a vulnerability management program (including the difference between SME and enterprise programs, how to factor in cloud environments, and common challenges), please watch the video below.

(Note: You can find a template for a vulnerability assessment report here).

Now let’s look at Penetration Testing.?

This is a more intrusive approach that combines techniques (both automatic and manual) to identify and exploit vulnerabilities (both known and unknown) within a certain environment. This tends to have a narrower scope and is, usually, practiced on an ad hoc or annual basis.?

A penetration tester (or pentester), in layman’s terms, is like a quarterback, who is responsible for finding a target and determining what to do next (This could be running or passing the ball). They have to play on the offensive side. They determine when to call the vulnerability management/ defense team, which may comprise system administrators, network administrators, and/ or cybersecurity analysts and engineers.

Penetration testing is not limited to web applications. It can be applied to cloud, mobile, IoT, and even to physical security and social engineering.

There are 7 phases while conducting a penetration test:

• Pre-Engagement: Here the scope, objectives as well as legal and contractual implications (for example, potential liabilities) are defined.?
• Reconnaissance: Here the pentester gathers information about the target. This can be by engaging directly with the system (a.k.a. active reconnaissance) or using passive strategies, like eavesdropping on network traffic).
• Discovery: Here the application or operating system is scanned for known vulnerabilities using automated means or using the manual approach for new/ hidden items.
• Vulnerability Analysis: Here vulnerabilities are analyzed and prioritized (Refer to the Note above) using a qualitative or the more preferred option – quantitative.?
• Exploitation: Here the pentester simulates an attack to establish access to a system. He/ she finds an entry point and, subsequently, examines which assets can be accessed. Here questions like, “How long before the breach gets spotted?” or “What harm can be inflicted?” can be asked.
• Report: Here the penetration tester shares the following information: A description of vulnerabilities, the prioritization score, the impact, and recommendations for fixing the vulnerabilities.?
• Remediation: This isn’t a phase per se, rather it includes a step-by-step approach to closing the weakness.

Some of the penetration testing methodologies include OWASP, OSSTMM, and NIST.

(Note: You can find a template for a pentest report here).

The main benefits of such tests include: incident prevention, enhanced resilience, and, optimization of detection and response capabilities. Having said that, it's good practice to have an organizational policy. This should cover aspects like scope, frequency, and reporting.

(Note: Individuals often confuse the difference between Penetration Tester and Ethical Hacker. The first is, usually, limited to the scope defined by the organization. They usually carry out engagements that are one-time or limited in duration. They usually require extensive knowledge regarding the domains they will target. They need to be good at writing reports and they are not responsible for the client’s specific configurations and incident handling. An Ethical Hacker on the other hand uses different approaches against an entire system using different attack vectors and is not bound to the scope. The testing is continuous and more in-depth. They need to be proficient at hacking tactics, techniques, and procedures (TTP) to replicate the modus operandi of a malicious threat actor. And finally, they do work closely with blue teams and incident-handling teams to contain an attack).

Next week we’ll look at encrypted communications.?

This article is part of a project called Security Chronicles, written jointly with Walter Buyu .

Sources:

• Top 8 Cyber Security Vulnerabilities.
• A cyber buyer’s guide to Vulnerability Assessment and Penetration Testing: part 1.
• Vulnerability Management: Vulnerability Assessment vs. Penetration Testing.?
• Vulnerability assessment vs. penetration testing: what’s the difference?
• Penetration Testing and Vulnerability Assessment: Working Together.
• What’s the Difference Between Ethical Hacking and Penetration Testing?