Vulnerability Assessments and Penetration Testing

Similar documents
RiskSense Attack Surface Validation for IoT Systems

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

An ICS Whitepaper Choosing the Right Security Assessment

Choosing the Right Security Assessment

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

CYBER RESILIENCE & INCIDENT RESPONSE

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

NEXT GENERATION SECURITY OPERATIONS CENTER

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Building UAE s cyber security resilience through effective use of technology, processes and the local people.

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

GDPR: An Opportunity to Transform Your Security Operations

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

BHConsulting. Your trusted cybersecurity partner

Are we breached? Deloitte's Cyber Threat Hunting

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

RSA INCIDENT RESPONSE SERVICES

M&A Cyber Security Due Diligence

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Department of Management Services REQUEST FOR INFORMATION

align security instill confidence

THE CYBER SECURITY PLAYBOOKECTOR SHOULD KNOW BEFPRE, DURING & AFTER WHAT EVERY DIRECTOR SHOULD KNOW BEFORE, DURING AND AFTER AN ATTACK

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Continuous Monitoring and Incident Response

Big data privacy in Australia

RSA INCIDENT RESPONSE SERVICES

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

CYBERSECURITY MATURITY ASSESSMENT

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

Product Security Program

Protecting your data. EY s approach to data privacy and information security

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

locuz.com SOC Services

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

to Enhance Your Cyber Security Needs

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Objectives of the Security Policy Project for the University of Cyprus

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

INTELLIGENCE DRIVEN GRC FOR SECURITY

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Cybersecurity. Securely enabling transformation and change

Chapter 5: Vulnerability Analysis

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Business continuity management and cyber resiliency

Skybox Security Vulnerability Management Survey 2012

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Avanade s Approach to Client Data Protection

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Symantec Security Monitoring Services

Protect Your Organization from Cyber Attacks

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

BHConsulting. Your trusted cybersecurity partner

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Sage Data Security Services Directory

NCSF Foundation Certification

Cyber Resilience - Protecting your Business 1

Trustwave Managed Security Testing

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Automating the Top 20 CIS Critical Security Controls

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

INFORMATION ASSURANCE DIRECTORATE

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

TRUE SECURITY-AS-A-SERVICE

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Best Practices in Securing a Multicloud World

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

CYBER SECURITY TAILORED FOR BUSINESS SUCCESS

NEN The Education Network

Secure Development Lifecycle

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Tiger Scheme QST/CTM Standard

Device Discovery for Vulnerability Assessment: Automating the Handoff

Cybersecurity Auditing in an Unsecure World

RSA Cybersecurity Poverty Index

RiskSense Attack Surface Validation for Web Applications

IoT & SCADA Cyber Security Services

Securing Your Digital Transformation

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Emerging Issues: Cybersecurity. Directors College 2015

Implementing Executive Order and Presidential Policy Directive 21

Cyber Security Program

Information Security Continuous Monitoring (ISCM) Program Evaluation

CA Security Management

RSA NetWitness Suite Respond in Minutes, Not Months

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Modern Database Architectures Demand Modern Data Security Measures

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

How to Conduct a Business Impact Analysis and Risk Assessment

deep (i) the most advanced solution for managed security services

Transcription:

CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze their security posture, a vulnerability assessment or penetration test frequently tops the to-do list. Often used interchangeably, confusion about the difference between the two is prevalent. Understanding the right activity to undertake and what to expect is a hurdle for many organizations. It requires knowing what you need, the right questions to ask, and which test coincides with your answers. In this guide, we will discuss how to select the right security testing method to meet your goals by understanding the differences between a vulnerability assessment and a penetration test. TABLE OF CONTENTS VS Security Testing 101...................................... 2 Why Undergo A Security Test................................ 2 A Scenario: Penetration Test Versus Vulnerability Assessment........ 3 Expected Value and Timing of Security Tests.................. 3 Expected Outcomes................................ 4 Summary: Comparing Vulnerability Assessment to Penetration Tests.. 4 Conclusion...................................... 5 1

SECURITY TESTING 101 - DEFINITIONS What is a Vulnerability Assessment? A vulnerability assessment is the process of discovering, documenting, and quantifying the current security vulnerabilities found within an environment. A vulnerability assessment is intended to be a comprehensive evaluation of the security of your vital infrastructure, endpoints, and IT assets. It gives insight into system weaknesses and recommends the appropriate remediation procedures to either eliminate the issue or reduce the weakness to an acceptable level of risk. Vulnerability assessments typically follow a structured methodology, which should include the: Identification and cataloging of assets (systems, infrastructure, resources, etc.) in an environment; Discovery and prioritization of the security vulnerabilities or potential threats to each asset; and Reporting on the recommended remediation or mitigation of vulnerabilities to reach an acceptable risk level. What is a Penetration Test? A penetration test attempts to simulate the actions of an external or internal attacker who is trying to breach the information security of an organization. The individual performing the test uses a combination of tools and techniques and attempts to bypass the existing security controls of the target organization. The goal is to gain access to sensitive systems and information. The methodology followed by penetration testers is inherently less structured to allow for rapid adjustment while testing the environment. However, most penetration methodologies typically follow these key steps: Determination of the scope and testing objectives; Targeted information gathering and reconnaissance; Identification and exploitation of weakness to gain and escalate access; Demonstrate completion of the testing objective; and Clean up and reporting. WHY UNDERGO A SECURITY TEST? Vulnerability Assessment The primary goal of a vulnerability assessment is to identify, catalog, and prioritize the population of vulnerabilities present within an environment. The intent is to remediate the identified issues to an acceptable risk level. The objective of a vulnerability assessment focuses on creating a list of identified vulnerabilities and establishing a plan to remediate findings. Overall, the focus of the assessment is about breadth, rather than depth, identifying issues across the environment and prioritizing them for remediation based on multiple risk factors. Penetration Testing The primary goal of a penetration test can be customized based on the organization and environment undergoing the test. A penetration test typically requires achieving some level of insider access in order to demonstrate control of a key system or asset on the internal network. Penetration tests are robust as they simulate the activities of a real attacker and test an organization s current maturity levels within their security monitoring, network detection, access controls, and security response procedures. Overall, the focus of a penetration test is to demonstrate success against the testing objective. The testing objective could be breaching an organization s border security controls, gaining administrative rights to a key system, or even remaining active on the network for a period of time without detection by the organization s security team. 2

A SCENARIO: PENETRATION TEST VERSUS VULNERABILITY ASSESSMENT Consider this non-technical scenario that demonstrates the primary difference between the two security tests: Take the compound and save the hostage. Imagine a military General giving orders to one of his officers: Take the compound and save the hostage. The officer assembles his team, conducts reconnaissance of the compound and surrounding area, establishes a plan of action, and successfully executes the mission by breaching a weakness in a wall on the southern end of the compound. Now imagine that during the debrief, the General asked about the security weaknesses and enemy activities on the northern end of the compound. To the officer, this is an irrelevant question; the aim was not to assess the security weaknesses of the compound, the objective was to take the compound and save the hostage. This scenario is a example of the difference between a penetration test (the officer s mission) and a vulnerability assessment (the General s follow up question). A penetration test will not attempt to identify all the vulnerabilities within the environment; the attacker will typically take the path of least resistance to avoid detection and complete the objective of the test. VALUE AND TIMING OF SECURITY TESTS Vulnerability Assessments Vulnerability assessments often provide the most value when used by organizations that do not have an in-house security team. An organization may recognize issues within its environment but is in need of outside technical expertise to identify and address the weaknesses. A vulnerability assessment can help organizations understand the problem and establish a plan to remediate the identified vulnerabilities. 3

Penetration Testing Penetration testing can provide an organization with a significant value as it relates to understanding the current state of its security operations. However, penetration tests require a higher level of security maturity to realize their full value. As a result, penetration testing should be conducted by an organization with at least a moderate level of maturity of its security operations. A moderate level of security encompasses an investment in security tools and processes and a team to manage its security operations. This level of maturity allows the organization to test not only the technical security of its environment, but its people, and the incident response procedures that support security operations. As part of an organization s overal Threat and Vulnerability Management Program, both vulnerability assessments and penetration testing should be performed periodically to ensure the state of operations within an organization is continuously improving. EXPECTED OUTCOMES Common Deliverables Vulnerability Assessment: Technical Report Risk Ranking Remediation Activities Vulnerability Matrix Penetration Test: Targeted Technical Report Remediation Activities Vulnerability Assessment A vulnerability assessment s core deliverables should include a technical report highlighting discovered vulnerabilities, their risk ranking, and recommended remediation activities. The report should also be accompanied by an executive summary to translate the results of the test into business-focused objectives for a non-technical audience. A second primary deliverable should be a comprehensive list of the identified vulnerabilities in a matrix format. The document can be used by the organization to facilitate tracking and remediation of vulnerabilities discovered in the assessment. Penetration Test A penetration test s core deliverables should include a targeted, technical report that focuses on narrating the path of the attacker, documenting vulnerabilities discovered as part of the assessment, and providing the organization with recommended remediation activities to prevent similar future attacks. The depth of the report depends on the methods of the attacker, how long it took to achieve the objective, and the systems compromised to complete the objective of the assessment. 4

SUMMARY: COMPARING VULNERABILITY ASSESSMENTS TO PENETRATION TESTS If you are reading this and wondering who is responsible for security within your company, what tools you utilize to protect and monitor your environment, and what you would do in the event of a security incident, a vulnerability assessment is likely the right option for you. Most organizations will achieve the highest return on investment by first conducting a vulnerability assessment to identify the current population of security issues within its environment. Once these matters have been remediated by the organization and the maturity level of security operations has increased; a penetration test can ensure the new environment is operating as expected. VULNERABILITY ASSESSMENT Overview Automated vulnerability scanning coupled with manual analysis to validate and prioritize weaknessess. PENETRATION TEST Overview Advanced, automated, and manual-testing techniques to identify and utilize weaknesses in the environment. Goal and Focus Creates a listing of validated, risk-ranked, and prioritized vulnerabilities within the environment to support remediation efforts. Discovers and documents as many vulnerabilities as possible. Focuses on breadth over depth. Goal and Focus Determines whether an organization s current level of security maturity can withstand an intrusion attempt from an advanced attacker with specific goals. Achievement of a specific testing goal (take control of an internal asset, demonstrate control of the network, gain physical access to a restricted area) by any means. Focuses on depth over breadth. Client Maturity Level Low to Medium. The organization recognizes there are known issues in the environment and is looking for assistance in identification and remediation activities. There is awareness of the technical vulnerabilities present in the environment, with actionable remediation advice to address each weakness. Client Maturity Level High The organization has established security teams, monitoring, and response procedures which would be assessed. Ultimately, the organization believes its defenses are strong and is looking to test that understanding. Assessment of the organization s current security maturity to preven, identify, block, and respond to a real-life attack simulation. Deliverables A comprehensive technical report that includes all identified vulnerabilities, risk rankings, and recommended remediation activites. Deliverables A targeted summary narrative that includes the successful attack vector and recommended remediation activities to close that attack vendor. 5

ABOUT KSM CONSULTING KSM Consulting helps clients develop innovative solutions. Our client-focused approach starts with developing a deep understanding of their business. We then use our expertise in technology, data, management consulting, cybersecurity, and project management to help clients fully leverage technology, support their people, and optimize their processes. Cybersecurity Practice The Cybersecurity practice works with clients to assess their current situations, develop solutions that achieve compliance, protect their organizations, and manage ongoing threats. The practice specializes in security architecture and strategy; governance, risk, and compliance; threat intelligence and vulnerability management; information protection and privacy; and cybersecurity training and end-user testing. To learn more about KSMC cybersecurity services, visit: www.ksmconsulting.com/cybersecurity. PROFILE Dan Resnick leads the cybersecurity practice in developing innovative solutions to today s complex security, risk, and compliance challenges. With a strong background in information security, vulnerability management, and governance, Dan brings a history of successful project delivery and client service. He has solved complex business, information technology, and security challenges across multiple industries, with significant experience in healthcare, through the application of innovative technical solutions. P: 317.452.1646 E: dresnick@ksmconsulting.com Copyright 2017 KSM Consulting Part of Katz, Sapper & Miller Network References to Katz, Sapper & Miller, Katz, Sapper & Miller Network, KSM and KSM Network (collectively herein referred to as the KSM Brand ) are brand names associated with the various legal entities rendering a wide range of professional services to national and international organizations. State, national and international laws, along with professional regulations, require the provision of various accounting and consulting services to be performed under distinct legal entities. The KSM Brand does not provide services directly to organizations. Rather, the KSM Brand is used as a branding and organizing mechanism to align the strategies, goals, risk and quality of all legal entities which fall under the KSM Brand. While different accounting and consulting services are performed under various legal entities, these entities, in many instances, work collaboratively in the provision of professional services to organizations. When a legal entity within the KSM Brand engages an organization, nothing therein induces or prescribes liability for any other legal entity unless that legal entity is specifically engaged by that organization. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback