Vulnerability Assessments and Penetration Testing (Pentesting)By: Eric Escobar, Secureworks Adversary Group
Both are valuable tools that benefit any information security program and are integral components of a Threat and Vulnerability Management process.
- Penetration tests simulate a threat actor.
- Vulnerability assessments provide a laundry list of automated findings.
- Vulnerability assessments are a great start for companies who have just started their security journey and penetration tests a great way to test your existing infrastructure and security solutions.
Are These Information Security Services the Same?
The two are often used interchangeably and incorrectly due to marketing hype and other influences which creates confusion and wasted resources for many enterprises. With that in mind, I'd like to clarify the distinctions between vulnerability assessments and penetration tests and hopefully eliminate some of the confusion.
What is a Vulnerability Assessment?
A vulnerability assessment is the process of identifying and quantifying known security vulnerabilities in an environment. It is a surface-level evaluation of your information security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.
Vulnerability Assessments Follow These General Steps
- Catalog assets and resources in a system
- Assign quantifiable value and importance to the resources
- Identify the security vulnerabilities or potential threats to each resource
- Mitigate or eliminate the most serious vulnerabilities for the most valuable resources
What is a Penetration Test?
A penetration test simulates the actions of an external and/or internal cyber attacker that aims to breach the information security of the organization. Using many tools and techniques, the penetration tester attempts to exploit critical systems and gain access to sensitive data.
Additional Penetration Testing Services and Types
Depending on the scope, a pentest can expand beyond the network to include social engineering attacks or physical security tests. Also, there are two primary types of pentests ”clear box", which uses vulnerability assessment and other pre-disclosed information, and "glass box", which is performed with very little knowledge of the target systems and it is left to the tester to perform their own reconnaissance.
Penetration Testing Follow These General Steps
- Determination of scope
- Targeted information gathering or reconnaissance
- Exploit attempts for access and escalation
- Sensitive data collection testing
- Clean up and final reporting
Which Information Security Service Is Best for My Organization?
Well, the answer to that question should be determined by your current security posture. Unless both leadership and technical personnel are very confident in their security posture and already have a vulnerability assessment process in place, many organizations will be better served by having Secureworks® conduct a vulnerability assessment. A vulnerability assessment answers the question: "What are our surface-level weaknesses and how do we fix them?" Penetration testing answers the questions: "Can someone break-in and what can they attain?"
But as with all things security, it doesn't end there. As processes within a Threat and Vulnerability Management program, both vulnerability assessments and pentests need to be performed periodically to ensure continuous security posture improvement. In addition, while there is some overlap in terms of findings, a penetration test more closely aligns with what a real-world attacker would focus on.
Goal Based Penetration Testing
Goal based penetration testing focuses Secureworks’ adversarial team efforts to achieve a specific objective for your company. Instead of a generalized penetration test, Secureworks conducts customized attacks relevant to you, your industry, and your company. Here are ways we tailor a penetration test to you:
- Has an executive’s laptop been stolen?
- Are you concerned about your client’s information being stolen or leaked?
- Are you safeguarding intellectual property?
- Did you just install a new security product throughout your organization?
- How well could you defend against a threat actor attempting to deploy Ransomware?
- Are your cloud resources secure?
We tailor each of our pentest offerings to achieve your goals and expectations. Secureworks’ Adversarial Group allows you to identify blind spots in your organization, and effectively test your defenses against an advanced adversary.
Secureworks Taegis™ VDR helps identify vulnerabilities and quantifies risk so you can act fast to close gaps and keep threat actors out.
Penetration Types Offered by Secureworks
- Secureworks attempts to exploit your internal network from the perspective of a compromised device or rogue employee.
- Secureworks attempts to exploit your external perimeter from the public internet.
- Web Application pentest
- Secureworks attempts to compromise data, elevate privileges, or gain unauthorized access to your application.
- Wireless pentest
- Secureworks will attempt to compromise your organization by attacking your wireless infrastructure.
- Social engineering test
- Secureworks tests how your employees respond to malicious emails, phone calls, and other digital communications.
- Network isolation & segmentation pentest
- Secureworks attempts to pivot between various network segments.
- Hardware / IoT
- Secureworks attempts to compromise a hardware device by means of directly interacting with accessible ports, pins and chips.
- SCADA & ICS
- Secureworks attempts to compromise network access leading to exposed industrial control systems.
- Red Team
- Secureworks will attempt to covertly breach your organization, evading security controls and by using state of the art tools and techniques.
- Purple Team
- Secureworks will pair your pentest with your security team in order to maximize the potential learning opportunities in a real time, and true to life scenario.
- Don’t see it here? We have a large, diverse team capable of emulating any threat model. We’ve tested cruise ships, autonomous vehicles, surgical robots, and aircrafts.
Find Information Security Weaknesses and Protect Valuable Assets
Still have more questions on where to get started or need assistance on conducting an evaluation of your organization's security posture? Contact an Information Security Consultant at Secureworks to find your organizations information security weaknesses and the valuable assets an advanced threat can obtain.