So you’re worried about your organization’s current security posture. You see the news stories about the latest data breach, or the newest ransomware attack, and you wonder if you’re doing enough to keep your data safe. With cyber attacks on the rise, every organization, no matter how large or small, needs to understand the fundamentals of information security, and take the steps necessary to improve their defenses. Part of this is testing your security controls. But what type of tests do you need and when?
Today, I’d like to talk about three different types of security assessments: “security audits”, “vulnerability assessments”, and “penetration tests”. Although these terms are often used interchangeably, they are, in fact, very different types of tests. One is not a replacement for the others, and you should consider implementing a testing strategy that includes all three.
A security audit is an evaluation of an organization’s security controls against an established set of standards. There is generally a focus on policies and procedures, and ensuring that these are implemented properly. This can include things like ensuring that user access is based on the principle of least privilege, network firewalls are in place and correctly configured, and that operating systems and software applications are updated to the latest patch versions.
The purpose of a security audit can vary from organization to organization. Businesses in certain industries may be required to conduct regular audits in order to maintain compliance with regulations such as HIPAA or PCI. Some businesses may conduct audits to gain widely recognized industry certifications, like the ISO/IEC 27001. These types of certifications help to reassure customers and partners that industry best practices are being followed. Still other businesses may simply be performing an audit to evaluate their current security posture and identify areas where improvements can be made.
If your organization is just getting started with your information security program, an audit is a great place to start. Identifying your assets and the risks that you face, and ensuring that you have appropriate policies and procedures in place, are important first steps in improving your security posture. In this case an internal audit would be appropriate. Internal audits are conducted by your own security team, and are much less expensive than hiring an outside consultant to conduct the audit for you. This means they can be conducted more frequently. If you’re seeking certification, or if it’s required for your industry, you’ll need to bring in a third-party to conduct your audit. While more expensive than an internal audit, an experienced security professional with a fresh set of eyes may find items that were overlooked by your internal team. Regardless of which type of audit you use, they should be conducted on a regular basis. Ideally, you’ll set up a schedule that includes a combination of both internal and third-party audits.
While security audits are valuable for ensuring that a base set of standards are being met, they shouldn’t be considered a “complete” evaluation of an organization’s security. An audit doesn’t generally evaluate the effectiveness of the security controls on the system’s components. Even when components are configured correctly, there is still the possibility that an attacker can find a vulnerability and gain access. This is where the other types of assessments can help to fill in the gaps.
A vulnerability assessment is an assessment of your system’s devices, operating systems and software applications to identify vulnerabilities. This could include out-of-date software, devices with firmware that contains known vulnerabilities, etc. Vulnerability assessments are often conducted using automated scanning tools. Once completed, the vulnerability assessment report will include recommendations for updating devices or patching software.
New vulnerabilities in software are being found continuously, and it’s important to ensure that your systems are kept up-to-date. The low cost and ease of automation allow vulnerability assessments to be conducted on a regular basis. They can even be included as part of your deployment pipelines. If your organization has the resources, it may be beneficial to task members of your security team as security researchers. Security researchers seek out new vulnerabilities that may be missed by automated tools.
While this type of assessment is great for identifying necessary updates, it stops short of actually attempting to exploit the vulnerabilities that are found. For this you’ll need to conduct penetration testing.
A penetration test simulates a real-world attack. Testers will attempt to identify and exploit any vulnerabilities within your system. This type of test may use combinations of known vulnerabilities, misconfigurations, and weak detection or prevention mechanisms to identify risks that were missed by both security audits and vulnerability assessments. This type of test also allows you to evaluate your monitoring and intrusion detection capabilities.
The scope of a penetration test can vary widely, depending on what parts of your system you intend to evaluate. During the planning phase, you’ll need to identify which assets are in-scope, the duration of the test, how any data obtained during the test will be handled, and how much information the testers will be given prior to the engagement. When determining these items, you’ll have to consider both the cost (the broader the scope, the longer the test, and the higher the cost) and the impact on your business (testing production resources may have a negative impact).
There are several different types of penetration tests, based on the information the testers are given prior to the test. In a black-box test, the testers are not provided with any information about the system. They will need to conduct recon to identify potential targets. This type of test is the closest thing to a real-world attack, and it’s a good way to test your intrusion detection systems. A gray-box test starts with the testers being given limited information. This may include IP addresses of target machines, operating systems and installed applications, and possibly even user credentials. The main benefit of a gray-box test is that it speeds up the testing process. Testers are able to start attacking the target immediately, without the need to conduct recon first. Providing user credentials allows the testers to evaluate the system from the inside, which could help them to find privilege escalation vulnerabilities, or additional connected targets. Finally, in a white-box test, the testers are given full access to the target. For application tests, this may mean the testers can view the source code to help them identify potential vulnerabilities. For network tests, the testers may be given a network diagram to help them understand how the various components are connected. The main benefit here is that the testers have a more complete view of the system going into the engagement, and can conduct a more thorough test.
Whichever type of penetration test you use, the findings can help identify areas where additional resources should be focused. One important thing to note is that a penetration test shouldn’t be conducted until both the security audit and vulnerability assessments have been completed, and any improvements implemented. If you don’t believe that you’ve already done everything you can to secure your system, then a penetration test will just be a waste of money.
Hopefully this has given you a better understanding of these three types of security assessments, and the purposes of each. Remember, these tests are not interchangeable. Each has its purpose, and they should all be used in conjunction with one another. Ideally, you will conduct all three on a regular basis. Doing so will help to set your organization up for success and prevent you from becoming the next data breach headline.