Vulnerability assessment is the assessment of a system to determine if it has vulnerabilities or weaknesses that need to be resolved or patched. Also known as a security audit. Often known as a flaw or weakness that could be exploited by an outside attacker or compromised by internal personnel. Vulnerability assessment is necessary because many organizations, companies, and health facilities are required to meet certain compliance.
Vulnerability Assessments do not involve any steps to fix or apply patches to a system. The objective of a vulnerability assessment is to determine the vulnerabilities and report them to the client. The assessment must be requested and authorized by the client prior to the performance of the assessment.
Penetration Testing includes the actual exploitation of the vulnerabilities that are discovered during the phases of the vulnerability assessment. It includes vulnerability assessment; however, vulnerability assessment does not include penetration testing.
Rules of engagement (ROE) are signed and understood by both parties before the beginning of a penetration test. The ROE limits the penetration testers from touching targets that are not permitted by the client.
For many organizations the foremost benefit of commissioning a penetration test is that it will give you a baseline to work upon in order to mitigate the risk in an structured and optimal way. A penetration test will show you the vulnerabilities in the target system and the risks associated to it. An educated valuation of the risk will be performed so that the vulnerabilities can be reported as High/Medium/Low risk issues. The categorization of the risk will allow you to tackle the highest risks first, maximizing your resources and minimizing the risk efficiently.
Business continuity is usually the number one security concern for many organizations. A breach in the business continuity can happen due to a number of reasons. Lack of security is one of them. Insecure systems are more likely to suffer a breach in their availability than secured and hardened ones. Vulnerabilities can very often be exploited to produce a denial of service condition which usually crashes the vulnerable service and breaches the server availability. Penetration testing against mission critical systems needs to be coordinated, carefully planned and mindful in the execution.
Penetration testing is an effective way of ensuring that successful highly targeted client-side attacks against key members of your staff are minimized. Security should be treated with a holistic approach. Companies only assessing the security of their servers run the risk of being targeted with client-side attacks exploiting vulnerabilities in software like web browsers, pdf readers, etc. It is important to ensure that the patch management processes are working properly updating the Operating System and third party applications.
A security breach could affect not only the target organization, but also their clients, partners and third parties working with it. Taking the necessary actions towards security will enhance professional relationships building up trust and confidence.
The compliance section in the ISO 27001 standard requires managers and system owners to perform regular security reviews and penetration tests, undertaken by competent testers. PCI DSS also addresses penetration testing to relevant systems performed by qualified penetration testers.
A snapshot of the current security posture and an opportunity to identify potential breach points. The penetration test will provide you with an independent view of the effectiveness of your existing security processes in place, ensuring that patching and configuration management practices have been followed correctly. This is an ideal opportunity to review the efficiency of the current security investment. What is working, what is not working and what needs to be improved.
–Internal penetration test
–External penetration test