As more business is conducted online, the digital world of e-commerce has become a hacker’s paradise.
Protecting a business’s assets has become a difficult challenge: keeping up with cybercriminals, checking off a growing list of compliance boxes, and keeping close tabs on the security practices of every user and device on their network.
With increasing threats and a constantly changing IT landscape, Chief Information Security Officers (CISOs) and security professionals can barely keep up with the pace of identifying vulnerabilities and threats and, more importantly, fixing them.
Addressing the sheer volume and evolution of cyber-attacks is daunting for even the most security-conscious IT teams.
It requires an in-depth understanding of organizational risks and vulnerabilities, as well as current threats and the most effective policies and technologies for addressing them.
Only by understanding their risks can organizations target their security dollars to the technologies and strategies that matter most.
And an often overlooked, but very important process in the security of any business is testing it for vulnerabilities.
High-profile cyber-attacks of this year, like Petya and WannaCry, are attacks that could have been prevented with proper vulnerability management strategies, such as vulnerability assessments and penetration testing.
Vulnerability and penetration testing are not exclusive of each other, but rather complement each other.
The tests are different, and each has their merits. Together, they work together to provide a comprehensive cyber-attack prevention plan for your business.
What is a vulnerability assessment?
A vulnerability is an unintended flaw in a device, software program, or operating system that can be exploited by cybercriminals. These glitches are often the result of improper computer or security configurations and programming errors. If left unaddressed, vulnerabilities become low-hanging fruit for cybercriminals.
Fortunately, a vulnerability assessment, also known as a vulnerability scan, is a powerful tool to get a grip on your business’ strengths, weaknesses, and needs from a cybersecurity perspective.
A vulnerability assessment is an audit of your network and system security; the results of which indicate the confidentiality, integrity, and availability of your network. Performed using a software package to scan an IP address (or range of IP addresses), a vulnerability scan digs through your entire network.
The scan is designed to assess devices, computer systems, applications, third-party software, and plug-ins — the entirety of your network — looking for potential holes, like open ports, outdated software, or default passwords. The software then produces a report that lists found vulnerabilities and will give an indication of the severity and basic steps to remedy each one.
Discovered vulnerability lists can range anywhere from a single page to a novel. However, it's very common to find that a single remediation task will resolve multiple vulnerabilities within the list.
It’s important to note that vulnerability assessments search for vulnerabilities that are already known to the security community, hackers, and software vendors. Because technology is constantly evolving by the second, there are vulnerabilities that are unknown and these scanners will not find them.
But don’t let this discourage you: vulnerability scanners, like Nessus, are still very robust platforms and are constantly updated to reduce vulnerability blind spots.
For example, the Nessus vulnerability scanner is coded as a plugin: a simple program which checks for a given flaw. Nessus uses more than 80,000+ different plugins, covering local and remote flaws. As new vulnerabilities are discovered and published every day, several dozens of plugins are added to make sure Nessus is scanning for the most current list of known vulnerabilities.
To explain how a vulnerability assessment works, we’ll use a simple analogy. Imagine giving a friend you trust the keys to your house (credentials) and asking them to inspect and walk through each room (both inside and out) to determine how someone might gain access to what’s inside (network).
During the walk-through, this person might check windows, test locks, and look for gaps in the fence outside. By thoroughly scanning your house, they’d try to discover every possible way someone could break in and steal your belongings. Spare key under the doormat? Broken or rusted lock on the back gate? These would all be listed vulnerabilities they’d report back to you.
What is a penetration test?
Vulnerability assessments are often confused with penetration tests and the two terms are often used interchangeably.
The two assessments are actually two very different proactive measures that defend against cybersecurity threats.
As you conduct regular vulnerability scans, hackers are also scanning your network, trying to find an opportunity to break it. This is where penetration testing comes in. Penetration testing takes a vulnerability scan to the next level to understand just how a cyber-criminal could accomplish a hack.
In keeping with the house analogy, hiring a penetration tester is similar to hiring a burglar. You want this person to break into your house however they can, using all their creativity, tools, tricks, and know-how. While this may sound counterproductive, by hiring an expert to think like your enemy, you identify areas that need enhanced security. This will help you to protect your infrastructure from a loss in the future — similar to fixing a lock or replacing a loose board in the fence.
Beware of “professional penetration testers” that will actually just run a vulnerability scan, package up the report in a nice, pretty bow and call it a day. This is only the first step in a penetration test. Testing vulnerabilities is a two-step process because a scan just reveals the possibility of problems, a penetration test verifies that the problem is actually exploitable.
For example, many websites are still vulnerable to Heartbleed. A vulnerability assessment will run a scan and report “you are vulnerable to Heartbleed.” A penetration tester will manipulate the bug and discover the depth of the problem to find out exactly what type of information could be revealed if it was exploited. This is the main difference between a vulnerability assessment and penetration test – the output of a network scan or a vulnerability assessment is being probed further in a pen test, just like a hacker would do.
Similar to a vulnerability scan, the results of a penetration test are usually ranked by severity and exploitability with remediation steps provided. However, deriving meaningful and actionable information about business risk from vulnerability data is a complex and difficult task. This is where managed IT service companies come in. By partnering with companies that are well-versed in all aspects of security and threat assessment, their teams analyze your results to determine which infrastructure vulnerabilities should be targeted first and most aggressively.
Businesses may shy away from penetration testing because they simply don’t have the skills, resources, time, or budget to undertake such tasks. And many small-to-medium sized businesses (SMBs) don’t believe they will be targeted by hackers when there are so many other more profitable targets for hackers to go after. But cybercriminals are increasingly going after enterprises with poorly defended networks who lack the means to protect themselves.
With fewer resources to invest in security, SMBs are extremely attractive to attackers. According to Symantec, attacks on small businesses rose 300 percent in 2012. Conducting vulnerability and pen tests on a regular basis could prevent a serious breach and be a leg up against network threats — whether you have one or 100,000 employees.
How often should you be doing these tests?
Vulnerability testing should be done on an ongoing basis – monthly or quarterly (at the very minimum, every 90 days), whereas penetration testing can be done as a yearly checkup or after a major change to your network environment. Performing only a single vulnerability scan each year puts companies at risk of not uncovering new vulnerabilities for an extended time period. This period of limbo is all an attacker needs to compromise a network.
In the cybersecurity world, we preach “the more often the better” — any one scan is only indicative of security strength for that moment in time. Each time, automated scans identify the risk impact of each vulnerability by giving it a severity score (Critical, High, Medium, and Low) so that critical vulnerabilities can be mitigated on first. Instead of a cybercriminal finding the vulnerabilities first, organizations should regularly implement a vulnerability to find these risks before bad guys have a chance and remedy them.
Why You Should Test, Not Guess
It's more important than ever to create and implement a robust vulnerability management program.
Since 2012, there has been a considerable increase in vulnerabilities for all operating systems irrespective of brand. The IT landscape is changing. Vulnerability management needs to change too. As office technology becomes more complex and more organizations rely on being connected to a network to do business, traditional periodic scanning is no longer enough to provide necessary visibility and insight.
According to Forbes, any organization conducting business over — or even just connected to — the internet is in jeopardy of an attack stemming from a vulnerability. While not all organizations are required to implement a vulnerability management program, those that choose not to may be taking an avoidable risk.
At Access, we deploy Nessus, the most trusted vulnerability scanning platform for auditors and security analysts. As the industry’s most widely deployed vulnerability scanner, Nessus includes a deep set of comprehensive assessment capabilities:
- Highly-accurate scanning with low false positives
- Scalable to hundreds-of-thousands of systems
- Easy deployment and maintenance
- Low cost to administer and operate
- Complete coverage over your agents and network, including laptops and mobile assets
- Reports automatically and easily filter data that are easy to understand to address vulnerabilities
For many businesses’ security strategies, vulnerability assessments are the first step – they are used to perform wide sweeps of a network and connected devices to find flaws in operating systems and applications such as missing patches, misconfigured settings, security holes in services and ports, and potential paths to exploitable programs or scripts. From there, one can perform a penetration test to see how exploitable the vulnerability is.
Performing these two types of tests helps you to be well-equipped in avoiding vulnerabilities and defensively acting against threats, but that’s not the only reason to implement them into your cybersecurity approach. They also demonstrate to your clients and regulators that you are taking measures to identify vulnerabilities and apply the appropriate defenses to mitigate the potential risk of an attack. Information security does not stand still. Be proactive instead of reactive with a vulnerability assessment.
According to security consultant Kevin Beaver, the best plan is to conduct both tests: “Until you test your systems from every possible angle, you simply cannot say with reasonable certainty just where things stand with security.”