When organizations look to assess the resiliency of their information systems, there tends to be some confusion around what exactly vulnerability scanning and penetration testing each provide. The truth is that both paint part of the larger picture necessary to spot the key gaps in existing controls. Schneider Downs recommends that organizations perform internal vulnerability scanning at least monthly and external penetration testing annually. When implementing these activities, organizations should understand the basics of each.
Continuous vulnerability management practices form one of the cornerstones of any cybersecurity strategy. Scanning tools provide valuable insight into the current health of network-attached devices, and can identify critical gaps in patch management and change control. Vulnerabilities can be prioritized, patches deployed, and device configurations updated. But there are some key areas that vulnerability scanners often miss.
Common issues with vulnerability scanners include:
Lack of visibility across all devices. Scanning across a subset of devices or using a non-authenticated mode for scanning can result in high-risk vulnerabilities going unnoticed.
No consideration for system criticality. Automated scanners assign a baseline risk rating to vulnerabilities, but overlooking the criticality of the underlying systems can lead to incorrect prioritization or even cause important fixes to be skipped entirely.
Unable to assess architectural controls. While scanning will capture known weaknesses in software and configuration at a device level, automated tools cannot account for the impact or lack of compensating controls, resulting in false positives, or worse…
While vulnerability scanning uses a set of predefined rules to identify gaps in software patching and system configuration, penetration testing relies on human analysis of systems and leverages many of the same tools that actual hackers use. Some examples of targets and attack techniques used in a high-quality penetration test:
Social Engineering – Phishing and “vishing” (voice phishing via phone). These are common real-world techniques that penetration testers will employ to gain unauthorized access.
Web Application – A skilled team will not only look for common misconfigurations, but also will test file upload interfaces, data entry forms, and authentication/session management components of a website to identify potential weaknesses.
Physical Security – Testers may use a combination of special tools to bypass traditional and electronic locks, or leverage social engineering to gain physical access to restricted areas.
Network Services – A detailed penetration test will demonstrate how an attacker can use unnecessary or unsecured network services to traverse an organization’s network.
Wireless Network – Wi-Fi networks must be assessed for proper logical access controls as well as the opportunity that their physical footprint may present to would-be attackers.
Comprehensive penetration testing requires a diverse set of skills, and while organizations with large security teams may be able to dedicate staff to an internal red team (attackers) – a group focused on performing penetration tests – smaller organizations will primarily allocate security staff to their blue team (defenders), which focuses on maintaining technical security controls. For these smaller organizations, red team exercises are commonly outsourced to an expert firm. A growing practice is for organizations of all sizes to combine red and blue team efforts in regular purple team exercises, which allow the defenders to see attack techniques used in real time and actively tune security controls for prevention, detection and response.
How can Schneider Downs help?
The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. The team’s mix of skills and experiences in real-world cyberattack scenarios enables us to provide your organization with a comprehensive look at external vulnerabilities ranging from susceptibility to social engineering to critical weaknesses in external web applications. Our whitepaper outlining the advantages of external penetration testing is available at www.schneiderdowns.com/maximize-value-penetration-testing.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.