Information Security is on everyone’s mind but not everyone is ready for a full penetration test. We’ve investigated the merits of vulnerability assessments and how they can be leveraged to rapidly assess and evolve your defences in the face of everchanging threats.
Information Security is a continual journey, not an initiative to be implemented once, ticked off and forgotten about. However, with new vulnerabilities and threat actors surfacing at a constant rate, it can be hard to know where to focus efforts and what risks need resolving first.
The landscape of technologies and working practices that organisations are built on is ever-changing to meet business needs. Users are now more mobile, often using their own devices to access corporate data and across a huge variety of platforms. Systems are provisioned and torn-down on a weekly (and sometimes daily) basis. Data is also stored in many different locations, from personal devices, to on premise systems and often a number of cloud-hosted services and applications.
This disparity in technologies, data and means of accessing them creates a large and fluctuating attack surface to manage and assess, to which a full penetration test can rapidly become an expensive endeavour, especially as different systems and attack types are evaluated and scoped into the engagement. A penetration test can also quickly become out of date, as new services are implemented and new exploits are released. Even the most thorough assessment can’t predict what new risks will manifest in an organisation.
A vulnerability assessment is simply the reconnaissance stage of a penetration test. It will reveal vulnerabilities within in-scope systems but without actually attacking those systems to verify the true impact of exploitation. The findings it will reveal will never compete with the thorough and technically verified results of an active penetration test (it is definitely worth conducting these on a scheduled basis). A vulnerability assessment is low cost, quick to carry out and can be scoped to include any systems that a full penetration test can cover.
With that in mind, vulnerability assessments are highly flexible – they can be targeted to just the perimeter of an organisation i.e. its internet gateways and servers, they can assess internal infrastructure configuration, bespoke web applications, specific subnets, physical locations or device types. They can also do basic assessments or full authenticated checks to determine the patch levels, configuration and associated vulnerabilities with the applications and services of a system. Their highly configurable nature means that an organisation can decide which area of a business or information security risk they want to target, they can rapidly assess it, then feed this into their Risk Management and IT Strategy to focus remediation efforts. The low cost of engagement also allows both continual assessment and room for trial and error – if an assessment needs to be re-run or rearranged, it’s much more mobile than a dedicated penetration tester actively attacking a network.
This rapid-fire evaluation of security will provide an immediate and cost-effective snapshot of an organisation’s vulnerabilities, in a simple to understand format arranged by order of severity and ease of attack. For those that are embarking on their information security journey, a basic assessment of their perimeter security will provide the initial focus to mitigate risk and understand the vulnerabilities that can manifest in the technologies and systems that are commonly deployed.
The bad guys are already risk assessing everyone’s internet-facing infrastructure with automated scans scouring the internet for vulnerable servers – but without the intent to inform the owners! A perimeter vulnerability assessment will reveal the vulnerabilities that are available for them to exploit, allowing organisations to patch these holes and quickly lock down their network from automated attacks.
For organisations that already have an Information Security Management System, or other means of Risk Management, a vulnerability assessment is also a great means of assessing systems following major changes in infrastructure or the acquisition/merging of new systems and business entities. It provides prioritised findings that can feed directly into a Risk Assessment, with solutions that can be exported as Risk Treatments ready to have assigned resource and deadlines.
Finally, continual assessment provides customers with greater assurance that the security of their data and the services they use are held as a paramount business priority, and auditors will be impressed by the ample evidence detailing the vulnerabilities discovered and remediation action taken to resolve them. Cyber Essentials Plus is an excellent means of demonstrating this assurance, as it will include a vulnerability assessment, as well as a number of other technical checks, to demonstrate that an organisation has secured itself against the most common attack vectors.
You don’t always need to break in to your systems, sometimes it’s best to just check your digital locks every once in a while to keep the bad guys at bay.