Vulnerability Assessment and Penetration Testing Improve Security  

Posted on: 2/7/19 by John J. Unser

Marvin and Company’s Information Technology Director, John J. Unser, CISO, explains how a company can improve its risk management program through vulnerability assessments and penetration testing.

Overview

Internal control and risk management has become a top priority for most businesses. An essential component of any risk management program is the testing of security measures, including the performance of a vulnerability assessment and/or penetration test.

It is critical that company owners and IT managers understand the specifics and benefits of the tests, the testing process and expectations of the process are key in managing organizational risk and internal control. To help explain these factors, we’ve provided answers to the most commonly asked questions we receive from clients.

What is a Vulnerability Assessment?

A vulnerability assessment is an evaluation of a network and/or web application’s security posture, intended to uncover issues that may be present and worthy of further investigation. This is a good method of identifying issues, but does not go as far as to validate the issue exists or attempt to exploit it.

What is a Penetration Test?

A penetration test or “pentest,” is a method of evaluating a network and/or web application by simulating an actual attack using the same methods a malicious hacker would to gain unauthorized access. Typically, the information gained during the vulnerability assessment process is leveraged to identify the best attack vectors. It confirms the potential vulnerabilities and actively exploits them, proving the damage that could be done if a real-world attack against an organization’s systems took place.

The process involves an active analysis of the environment for vulnerabilities that could result from poor or improper system configuration, known and unknown hardware or software flaws, programming issues or operational weaknesses.

Why Perform a Penetration Test?

IT is an integral part of every business today. Performing a vulnerability assessment and/or penetration test helps ensure that networks and applications are sufficiently protected from potential threats. The ability to enumerate potential issues before a malicious actor provides some assurance that company, and especially client data, is reasonably protected from unauthorized access, while allowing organizations to meet client requirements for IT security testing. Basically, you can adhere to various compliance requirements, gain an additional level of comfort that your environment is reasonably protected, and provide customers with additional level of comfort when using your company to process their data.

How is testing conducted?

Vulnerability assessments and/or penetration tests are typically performed using a combination of manual and automated techniques and technologies to systematically compromise servers, endpoints, web applications, wireless networks, network devices and mobile devices (depending on scope and goal of the engagement).

Testing can be performed using various levels of information provided by the client.

  • Black-box – Also known as functional testing, it’s a method of software testing that examines the functionality of an application without knowledge of its internal structure.
    • This typically replicates what a complete outsider would be able to access.
  • Grey-box – Client provides additional detail of the environment, but no credentials.
    • This assists the tester in limiting the scope while not providing any access to the systems themselves.
  • White-box – Also known as structural testing, it’s when the client provides full environment details and credentials to the systems being tested to allow for a comprehensive review.
    • This is used when the client wants to understand the full scope of risks present in their environment. There are many times in which the exterior of the environment is sufficiently protected but has additional issues once logged in that could be uncovered and used to gain unauthorized access.
    • A good example is an web application in which an unauthenticated user may not have access to any data, a standard company user may have access to only the data appropriate to them, but a manager role has a flaw in which the user is able to gain access to other client or company data that was intended to be restricted.

Enumerated vulnerabilities are exploited and used to launch additional attacks within the environment in an effort to access restricted data or system functionality through higher levels of security clearance

Can any harm be done to our systems during the penetration test?

In short, yes. However, these risks can be mitigated with proper planning and scheduling. Working with your provider to conduct testing during off-hours, using a test or backup environment and ensuring that monitoring devices or software are working properly are all methods to help reduce risk and recover from a potential issue. Additionally, coordinating with client contacts and detailing testing hours can decrease the response time to any issues.

It is never possible to completely rule out a production system crash, but with proper planning, the risk is greatly reduced. Think about it, is a malicious hacker going to tell you when they are going to hack you? Probably not. So, don’t get too hung up on this because if the tester is able to crash your system, someone else is too—they just haven’t tried yet.

What should I look for in a provider?

You should hire a team of people with the right experience, skills and tools to do the tests right. Look for an independent, third-party IT auditing expert that will work in partnership with your team. You will also want to find a provider with Pen Testing experience or certifications and ask which tools and methodologies they use.

Who should be involved in the tests?

Be meticulous when selecting members of the organization to be involved with the test. Sufficient support should be provided to ensure safety and to make sure the testing and environment is properly scoped to meet the required objectives. Excessive involvement from multiple people and departments may cause confusion, create delays or jeopardize the results of testing detection capabilities.

How often should you conduct a Vulnerability Assessment or Penetration Test?

Vulnerability assessments are typically performed upon a significant change to the environment or at least quarterly to help ensure issues haven’t gone unnoticed throughout various upgrades, patches, and other changes that occur regularly within a company.

Penetration tests are typically required to be performed annually based upon requirements set by various regulatory bodies and compliance frameworks. They can reveal how threats and emerging vulnerabilities could be attacked by hackers. In addition to regularly scheduled analysis and assessments, tests should also be run whenever:

  • New network infrastructure or applications are added
  • Significant upgrades or modifications are applied to infrastructure or applications
  • New office locations are established
  • Security patches are applied
  • User policies are modified

Should testing take place against test or production systems?

Testing on production systems can limit the techniques employed during the test, which may produce inaccurate results regarding system security. If possible, penetration testing should be conducted against test or development systems so that potentially intrusive techniques can be used without jeopardizing the safety of the production environment. The one thing to be cautious of is that your test environment is an exact replication of production, or you could end up with invalid results and a false sense of security.

What is the final product?

A detailed report should be provided outlining the scope of the environment, the methodology used and a detailed explanation of the vulnerabilities detected along with any evidence collected or gained. A baseline profile of targets is included, as well as recommendations for improvement.

If you would like more information on risk management testing, please contact John Unser, CISO, IT Director at 518-785-0134 or jju@marvincpa.com.  

Marvin University

The Marvin University professors are here to help your organization. see our list of upcoming educational events and download past sessions.

Community Involvement

We not only provide professional services to the not-for-profit industry, we provide our own time and resources.
Learn more here.

Careers

Start shaping your future at Marvin and Company today.