Vulnerability Assessments and Penetration Testing

Most businesses have a desire to keep their operations, employees, and customer information out of harm’s way. No one wants to pay a ransom, have their company name splashed across the news for divulging confidential information, or be liable for a large fine from a regulator. The problem is most business owners don’t know how or where to get started – from what they really need, to who to turn to for help, all the way to dealing with the findings that come up.

One size does not fit all when it comes to vulnerability assessments and penetration testing, so once the decision is made to start looking for a vendor, leadership needs to clearly define the needs, expectations and desires anticipated from the engagement.

Though before any discussion can be had, there must be a clear understanding among the stakeholders about the mission. The National Institute of Standards and Technology provides us reasonable definitions to work from:

• Vulnerability assessment – A systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
• Penetration test – Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers.

Essentially – vulnerability assessments help spot weaknesses while penetration tests attempt to exploit them.

What do we really need?

We find the best way to determine what the business needs is to start with an internal outreach process (coworkers and leadership) to ensure requirements are ironed out and agreed upon. This will increase buy-in and the likelihood of a successful project.

Below are some great door-openers to starting the discussion:

What are the primary areas of risk faced by the organization?

• Remote workforce
• Reliance on third party vendors for functions not traditionally seen as IT risks
  • Marketing firms
  • Printer or hardware maintenance
  • Third party administrators
  • Managed service providers or local IT personnel
• Data privacy management

What drove the decision to budget and approve the project?

• General health check
• Compliance requirements
  • SOC 1 or SOC 2
  • ISO 27001
  • HITRUST
  • PCI-DSS
  • GDPR/CCPA and other Data Privacy standards
• Customer expectations
  • RFPs/Vendor Assessments
• Digital transformation or security roadmap initiative
• Intrusion, hack, ransomware event

What do we need to look at?

• Corporate network or Microsoft 365 tenant?
• A specific environment where covered information might reside?
• A custom web application developed for one customer?
• A SaaS application living in the cloud?

The purpose of this exercise is to begin the process of socializing these thoughts with leadership in order to ensure that you as the client, your internal stakeholders, and the firm you engage to perform the work are aligned on the risks, requirements, and deliverable goals… which is near impossible to do without a plan and proper communication.

The outcome could include examples such as:

• We are a 5-10 person business on Microsoft 365 with one website and just want to stay on top of things. We also would like to know if any employee credentials were exposed in recent data breaches.
• We are attempting to achieve SOC 2 for our product, which is a multitenant SaaS web application with 2 user roles, and need an authenticated vulnerability assessment and penetration test of the platform. Our audit period ends in 3 months, which means we would want to begin testing immediately.
• We are a small / medium business with a mix of computers, servers, software, and cloud hosting (AWS, Azure, GCP), and need to know where our risks are, how to reduce IT complexity (managing and security), and the policies and procedures to support them.
• We have in-house developed or owned systems / networks where personal information is transmitted and / or stored (not necessarily health or credit card), do not have any immediate client or compliance requirements, but could be liable for any losses should there be an issue.
• We are a local business that has traditionally outsourced IT to a local provider or the employee who knows computers.
• We are a startup looking for funding and adoption by larger customers, want to be security-focused and mindful, but have limited funding or budget in the near term.

The interesting thing is that in all of these situations, there are a 100 different directions someone could go – from a quick vulnerability assessment to see “what’s there” all the way through a multi-pronged, extensive assessment called a red team exercise. Ultimately, knowing what you want and need goes a long way to containing cost and effort. The most common trap when going through this process for the first time is thinking you’ve contracted a penetration test and instead receive a best practices or vulnerability assessment.

We find clients typically fall into one of three buckets:

1. Security best practices assessment

• Checking the windows and doors of the IT infrastructure / endpoint devices and the practices for managing them. Making sure common oversights are highlighted. Well suited for a small business concerned with not becoming an easy target.
• High level best practices report.
• Little to no operational impact to systems.

2. Vulnerability assessment

• Find the vulnerabilities and services running inside and outside the organization to identify critical patching needs, out-of-date / end-of-life systems, and other best practice security configuration changes to fine tune the environment.
• Listing of vulnerabilities with technical remediation guidance, along with an overview of improvement recommendations.
• Low to moderate impact to systems.

3. Penetration test

• Taking it a step further from the first two above and attacking a specific target (or set of targets) in an effort to confirm vulnerabilities and paths to compromise. This is what most clients as well as auditors want to see when it comes to meeting compliance requirements. It also brings the highest risk of potentially impacting systems in a negative way (service, functionality, data, etc.), requiring significantly more planning and coordination to execute successfully.
• Report that can be provided to external and internal stakeholders, containing an executive summary of findings. Detailed vulnerability data and remediation guidance is also provided.
• Moderate to high impact to systems.

At the completion of any security assessment, the goal is to walk away comfortable that the areas of risk expected to be assessed were covered and expected deliverables provided, with a clear plan on next steps for securing and maturing the environment.

The team here at Marcum Technology is well versed in sorting through these issues with our clients, providing targeted solutions to meet their needs. We are happy to schedule a consultation or scoping discussion anytime.