Vulnerability Assessments and Penetration Tests

It’s well known that a vulnerability assessment is not a penetration test. This is often said to point to the superiority of a penetration test (pentest). Pentests are definitely superior in that they recreate what a threat actor could potentially do.

A couple potential drawbacks to pentests compared to vulnerability assessments are that pentests a) have a higher cost, and b) take much longer than vulnerability assessments.

A couple steps down from pentests is the simple vulnerability scan. These can easily be performed by software (paid or free) and are good at pinpointing security vulnerabilities. Vuln scans are the easiest to perform – pick a scanner, and run it – and that’s something anyone can do.

What’s missing in vuln scans is the ability to properly determine false positives, and they can even present false readings. Adequately discerning the real threats requires a vulnerability assessment.

Vulnerability assessments are a good step up from vuln scans, taking more time because they require analyzing the validity of the finding and assigning the real applicability of the risk and the remediation. Good assessments categorize security risks, assign risk levels, and offer remediation suggestions.

What does an assessment look like?

Here are a couple examples of findings that have to be determined and ranked:

A) The scan finds a vulnerability and rates it as High, e.g., a scan detects SharePoint 2010 running. SP 2010 is end-of-life (though one could have paid for extended support). Best practice is to have it on the latest version – if there was a compromise due to the known out-of-date software, a vendor might not offer support during a breach, and cyber insurance probably will not cover it. But this finding may actually be SharePoint 2013 running in backward compatibility mode. In that case (as of this writing) the software is still under support. The scan found something that only a proper assessment could determine was false, avoiding potential panic (though it does need to be upgraded soon).

B) If the finding is a true positive – e.g., Windows XP is discovered and the box is truly WinXP – then the next step is to determine if the finding is relevant. If that resource truly has an important role in the company, then it should be updated. But if it’s a test computer – maybe around for purposes of testing legacy software to ensure backward compatibility for an Operational Technology (OT) machine– is not internet-facing, and does not hold critical data, then it may be OK to keep around.

The recommendation will probably include the need to ensure that this old machine is not accessible from the rest of the network and is tightly controlled. The scan picked up a true risk, but properly assessing the criticality required extra time, perhaps in the form of interviews and fact-finding. In general, a resource is considered critical to operations if it 1) has important data (e.g., PII, corporate, confidential) and 2) faces the internet (not necessarily just having a webpage). Not only do these devices need to be scanned, but they need proper assessment.

What Are the Benefits?

Vulnerability assessments require expertise and dedicated time to decipher and investigate the results properly, and not all companies have the right in-house resources to take care of scanning, assessing, testing, patching, and re-scanning.

A company may not need a pentest because of the industry or lack of a need to comply with certifications or regulations. Pentests may also be cost prohibitive; their greatly increased performance comes with a bigger price tag.

One may have available personnel to perform updating and upgrading, but may not have the appropriate personnel, tools, and technology to gain an accurate view of the security posture. Vulnerability assessments are a vital, though often undervalued, component of cybersecurity.

Third-party vuln scans can increase reputation. There’s the chance that customers and prospects can view internally-run scans as a conflict of interest. Third-party assessments – even performed infrequently – can boost a company’s credibility, knowing that the assessments are objective, with recurring assessments demonstrating that the company attended to the previously reported findings. Additionally, a professionally produced report builds confidence and leaves a paper trail for orgs to see their progress and hold personnel accountable.

Assessment reports can also be used to obtain proper funding for IT and Security initiatives by demonstrating more objectively what threat actors really can see from the outside; it’s not just in the imagination of internal staff. The more that vulnerabilities appear on repeated reports, especially when shared as part of security questionnaires, the better the chance that upper management will provide resources to attend to the findings. Cybersecurity Crusaders is ready to scan and assess your corporate environment.

Contact us today so we can help you discover and prioritize your security and IT resources.