Data breaches are on the rise and experts forecast that that trend will continue (Experian – Data Breach Industry Forecast). With increased news coverage, Information security is no longer confined to the IT department. Business partners and C-Level executives are now asking questions and want to know if their company is prepared. Often times they’ll come armed with buzz-words like ‘vulnerability scans’, ‘penetration tests’, and ‘security assessment’. As IT professionals, we often think we understand what our business partner is asking for, but do we really? I’ve realized that even among IT professionals, there’s a lot of confusion as to what each of these terms actually means. While it may seem that these terms are interchangeable and vague, they definitely aren’t to most security professionals. I’ll do my best to describe some of the differences here.
Individually, a vulnerability scan consumes the least effort of the three methods discussed in this piece. These scans typically utilize a tool, like Nessus, to identify weaknesses in applications that are visible on a network, both internally and externally. Up front, the most important aspect of vulnerability scanning is that multiple scans (as a part of a scanning program) should be used to provide a view of how security risks are managed over time; a single vulnerability scan report provides very little value outside the context of a broad scanning history. Leadership and guidance in these programs is critical, as a misalignment in the goals or scope of a scanning program can lead to a false sense of confidence about the security of the environment. An individual scan report will typically identify vulnerabilities by severity, with details about the target device or application (e.g. IP, plugin, configuration). Most remediation efforts are focused on patch levels and configuration changes that require some follow-on change coordination and testing. Clients that are interested in vulnerability scanning should focus on the program-level aspects, and not on individual scans.
A penetration test (or ‘pentest’) is confused with a vulnerability scan more often than it should be. You may even find “security” firms that blur the lines between the two. A penetration test is different than a vulnerability scan in that testers exploit vulnerabilities in order to prove the ability to gain access to systems and data. These days, the easiest way to gain access to systems is not always technical, so most commercial pentest services offer a variety of creative and unique test augmentations, like social engineering or physical testing. Automated tools are often used as a part of the process, but the real ‘value’ in a pentest is the experience and background the testing team brings to the engagement. (Nessus can’t tell you that Bob from Accounting gave his account info to a malicious phone caller.) Pen test teams must be able to think creatively and use a variety of tools to find new attack vectors by which to access data. Pentest reports usually provide straightforward mitigation recommendations, and require detailed explanations of the testing methods and impact of identified exploits. Pentests should be completed at least annually, and ensure that the scope of testing covers their most critical assets. Clients interested in pentests should have a firm understanding of the risks they’re trying to define, as under-scoped pen tests will provide very little value and might cause more harm than good.
A security assessment is altogether different in nature from the above two items. Both of the above items primarily focus on the practical implementation and configuration of technologies that are deployed, and they leverage tools to get results. In comparison, a security assessment has the breadth to focus not just on the technology, but also on the components of the business – including processes and people. Security assessments provide valuable context for the results of a penetration test, or overall commentary on the effectiveness of a vulnerability management program. An assessment doesn’t just present you with simple software or configuration updates to remediate issues. Rather, it requires interpretation and a definitive solution that fits your specific business and risk profile. An assessment can help identify mitigating factors that can have a dramatic effect on the impact of an identified vulnerability or exploit. Clients that are generally interested in improving their security should most likely consider an overall security assessment.
Bottom Line – Everyone comes to the table with a different set of expectations and assumptions. With increased attention and familiarity with security-related language – it’s in everyone’s best interest to dig into what they mean when they use a term. If you have any questions or comments on the above, please reach out to me at firstname.lastname@example.org. To learn more about our security work (including case studies), visit westmonroepartners.com and search “security”.