Penetration testing

Penetration Testing Benefits: Pen Testing for Risk Management

Dimitar Kostadinov
October 5, 2016 by
Dimitar Kostadinov

This article explores the probable benefits which result from the relationships between penetration testing and various other mechanisms for fortifying cybersecurity defenses, such as Vulnerability Management Program /Section 1/, Risk Assessment /Section 2/, and Business Continuity /Section 3/. As we will notice, the benefits of penetration testing may spread, however, to other similar mechanisms /Sections "Compliance" and "Conclusion"/.

Vulnerability Management Program

Generally speaking, the evaluation of a Vulnerability Management Program is based on the following basic elements:

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.
  • Risk management – in a nutshell, every threat should be: 1) identified, 2) assessed, and 3) fixed, as the classical risk management rule states.
  • Follow the Information Technologies Practices – the program should be conducted within the context of routine IT activities, such as staff training, monitoring of systems and data recovery strategies, and documenting of procedures.
  • Patch deployment – once patching is prioritized and assessed against the possible dangers of non-implementation, patches only need to be released promptly.
  • Antivirus programs – it is imperative to have them to repel worms, viruses, and Trojans and provide overall continuous protection.
  • Self-testing – periodic self-checks to ensure the non-existence of security holes.

Vulnerability Assessment

A vulnerability assessment is a process, a part of the Vulnerability Management Program, whose purpose is to inspect a given system for potential points of failure and measure their magnitude after that. Its scope encompasses not only the companies' technological assets – i.e., systems and networks – but also their physical integrity and security measures concerning the safety of personnel. Such a wide perimeter to defend predetermines the variety of techniques designed to perform the vulnerability assessment, namely scanning tools, physical checks, and social engineering tests.

Steps for conducting a vulnerability assessment:

  1. Create an inventory list of all resources and assets (e.g., networks, systems, personally identifiable information, etc.)
  2. Evaluate these corporate assets and resources and assign them values
  3. Catalog the vulnerabilities and define the potential threats to each asset/resource

It should be noted that not all vulnerabilities are being fixed, or at least fixed immediately, but identifying them may help decision-makers come to the realization of where threats lurk and on which security weaknesses they tend to capitalize.

Pen Test

A pen test typically consists of these several stages:

  1. Determine the scope of the test
  2. Perform information gathering on pre-identified potential vulnerabilities (white box) or proceed to identify such potential vulnerabilities before testing (black box)
  3. Attempt to exploit vulnerabilities
  4. Report all discoveries made during the pen test

Although there is no official order here, most businesses prefer, to begin with, a vulnerability assessment so that the staff could act on its results to the best of their abilities, and then eventually opt for a "white box" and/or "black box" pen test.

Vulnerability Assessment

Vulnerability assessments tend to provide more overarching data, whereas a penetration test may only tell an organization how secure their system is at the moment. As part of a comprehensive and up-to-date information security program, penetration tests should be conducted on a regular basis to ensure new threats will not capitalize on undetected vulnerabilities.

Although penetration testing as an activity is markedly different than a vulnerability assessment, they tend to go hand in hand as far as corporate information security policies are concerned. With respect to penetration testing, the primary goal here is not to identify vulnerabilities, although that can be done as well, to establish whether the already identified vulnerabilities can be explored in practice.

SecureWorks poses a very accurate question to everyone who attempts to conduct a successful vulnerability assessment: "What are our weaknesses and how do we fix them?" The counterpoint that a pen test has to offer comes again in the form of a question: "Can someone break-in and what can they attain?" In essence, penetration testing is a logical continuation of a vulnerability assessment – a vulnerability is found, and now the question is: "Can someone exploit it?" (See the figure below). The main idea behind a pen test is to locate which vulnerabilities can be exploited and how. A true test of theoretical threats set against the real world. Consequently, penetration testing does not focus on all security vulnerabilities, but merely on those which are exploitable via a real attack. For that reason, a pen test may produce much more "real" data on the actual defensive capabilities associated with the IT structure of a given organization than a vulnerability assessment.

Penetration testing can be a comforting fail-safe mechanism. For example, a vulnerability management program may identify gaps in security; however, only by testing the size of these gaps through a pen test, a security analyst would manage to comprehend which of them may jeopardize their cyber existence.

Vulnerability scanners are typically used during vulnerability assessment stage. Despite their popularity, they rely on a vendor's list of known vulnerabilities. Unfortunately, there are plenty of zero-day vulnerabilities that go under the radar of those scanners, but that might not be the case with pen testing.

Tony Martin-Vegue from csoonline.com compares vulnerability assessment and penetration testing:

"It's one thing to run a scan and say "you are vulnerable to Heartbleed" and a completely different thing to exploit the bug and discover the depth of the problem and find out exactly what type of information could be revealed if it was exploited. This is the main difference – the website or service is being penetrated, just like a hacker would do."

Presumably, the combination of vulnerability assessment and penetration testing would provide a detailed map of the information security flaws in the computer systems and networks of a particular business entity and the actual risks related to these flaws. Both penetration testing and vulnerability assessment are indispensable components of every respectable information security program, as they allow the persons in charge of a company to gain invaluable insight into the security posture of the company in question.

Risk-Oriented Prioritization

It appears that in today's digital world every self-respecting business owner needs to incorporate into its overall corporate security policy a workable vulnerability management program based on risk-oriented prioritization. As a procedure, risk management involves identification, evaluation, and prioritization of risks so that one can monitor, control, and eventually minimize
the probability and/or negative impact of events detrimental to security as a whole.

Normal Circumstances

Under normal circumstances, no scanning tools or applications are used to facilitate risk analysis. To find the type and extent of the risk, one should thoroughly analyze it. On the one hand, there is a specific vulnerability (e.g., a line item from a penetration test) and, on the other hand, there is a perceived risk of sorts. It could be any kind – financial, regulatory, reputational, business continuity, etc.

Risk Management Elements

Martin-Vegue provides a very illustrative step-by-step example of how risk analysis works:

The analyst would first look at the vulnerable server, where it is on the network infrastructure and the type of data it stores. A server sitting on an internal network without outside connectivity, storing no data but vulnerable to Heartbleed has a much different risk posture than a customer-facing web server that stores credit card data and is also vulnerable to Heartbleed. A vulnerability scan does not make these distinctions. Next, the analyst examines threats that are likely to exploit the vulnerability, such as organized crime or insiders, and builds a profile of capabilities, motivations and objectives. Last, the impact to the company is ascertained – specifically, what bad thing would happen to the firm if an organized crime ring exploited Heartbleed and acquired cardholder data?

Risks are measured by how a risk triggering event could affect cost, technical performance, and schedule objectives. Each risk event projects a probability rating as well. Avalanches of data on security vulnerabilities call upon risk prioritization.

Three-prong Prioritization Program

There is a three-prong prioritization program that can successfully combine data of external assessments, the current state of control environment and data sensitivity with the purpose of helping businesses rank vulnerabilities and also prioritize remediation efforts:

  1. Establish vulnerability severity – through data feeds provided by the vendors of your vulnerability management tools one could determine the potential level of damage an exploit might inflict.

    By way of illustration, Mike Chapple from the University of Notre Dame notes how "a vulnerability that allows an attacker to gain administrative access to a system is much more severe than one that causes a denial of service. Severity information may also take into account the real-world existence of exploits; a theoretical vulnerability with no known exploits is less severe than one used by a virulent piece of malware."

  2. Evaluate data sensitivity – the risk factor increases if the information being processed in a system is sensitive. For instance, medical data or credit card data should rivet more attention than publicly available information. Regarding sensitivity, we can then observe three degrees of information: public, internal and highly sensitive.
  3. Evaluate existing controls – these existing controls secure potentially vulnerable systems and protect them from attacks. The individual in charge of evaluating the existing controls should implement a rating scale which reflects the expected level of controls in the company's environment. To illustrate this process, let's imagine two systems – one highly secured network that contains very sensitive files and a system with a public IP address that host a Web application not protected by a Web application firewall. While the former example merits a 5 rating on a five-point control scale, the latter is to be assigned a 1 or 2 rating.

Business Continuity is the compilation of procedures and processes that ensure an organization will remain up and running in times of crisis. The effectiveness of business continuity is being evaluated through a formalized technique called a business continuity plan audit. The purpose of this audit is to reveal whether the plan is in line with the organization's objective and at the same time is effective enough.

Business Continuity

By defining the threats or risks to the proper functioning of the business continuity plan and by putting to the test the controls in place to assess whether those threats and risks are acceptable, a pen test may work pretty much like a business continuity plan audit. It would also properly quantify the impact of the plan's omissions and recommend how to improve it. Whereas business continuity audits can draw their benefits from a structured audit framework, a pen tester usually has more options to choose from, depending on the scope of the test.

Again, similarly to an audit/assurance program, a pen test may contribute to the following aspects related to a company's business continuity and disaster recovery plan:

  • Deliver to company management an assessment of the company's preparedness in case of a major disaster of business character
  • Spot potential problems that may impede the normal business operations or their restoration
  • Draft and deliver to company management an independent evaluation of the effectiveness of the business continuity plan and its coherence with all overall IT security policies and subordinate continuity plans

Compliance Requirements

Compliance requirements do not equate to an actual security environment. Corporate management is prone to forget that. Much effort is directed towards meeting compliance norms, sometimes at the expense of the real operational security. When managers feverishly try to follow the letter of the law, it is easy to leave behind risks that pose real, often even imminent danger.

Here comes the pen testing again. Unlike theoretical security postures or security and compliance audits designed to ensure the existence of required controls and correct configuration, penetration testing focuses on real-life consequences.

Conclusion

Regular pen tests may achieve numerous significant objectives such as detect vulnerabilities, prioritize weak points, abide by compliance laws, preserve reputation, avert legal troubles, avoid diminished employee productivity and reduced revenue.

As we can see, regular performance of pen tests is more or less a critical precondition for the existence of a continuous improvement in an organization's security posture. Conducting regular pen tests may have a lot of additional benefits, some of them even unknown at the time of testing. Decision-makers who take the road of pen testing choose so not out of mere curiosity — they do it because they know pen testing is good for the business.

Reference List

Basu, E. (2013). What Is a Penetration Test and Why Would I Need One for My Company? Available at http://www.forbes.com/sites/ericbasu/2013/10/13/what-is-a-penetration-test-and-why-would-i-need-one-for-my-company/#388f02f442da (15/09/2016)

Basu, E. (2016). Vulnerability assessments vs. penetration testing. Available at http://www.itproportal.com/2016/03/17/vulnerability-assessments-vs-penetration-testing/ (15/09/2016)

Burton, A. Business continuity plan audit. Available at http://searchdisasterrecovery.techtarget.com/definition/business-continuity-plan-audit (15/09/2016)

Chabinsky, S. (2015). Best Practices for Conducting a Cyber Risk Assessment. Available at http://www.securitymagazine.com/articles/86754-best-practices-for-conducting-a-cyber-risk-assessment (15/09/2016)

Chapple, M. (2016). How to rank enterprise network security vulnerabilities. Available at http://searchsecurity.techtarget.com/tip/How-to-rank-network-security-vulnerabilities-in-your-system (15/09/2016)

computerweekly.com. Risk metrics: Measuring the effectiveness of an IT security control. Available at http://www.computerweekly.com/feature/Risk-metrics-Measuring-the-effectiveness-of-an-IT-security-control (15/09/2016)

George, T. (2016). The Truth About Penetration Testing Vs. Vulnerability Assessments. Available at http://www.securityweek.com/truth-about-penetration-testing-vs-vulnerability-assessments (15/09/2016)

hacklabs.com (2010). How to Evaluate a Vulnerability Management Program. Available at https://www.hacklabs.com/blog/2010/11/5/how-to-evaluate-a-vulnerability-management-program.html (15/09/2016)

isaca.org. Business Continuity Management Audit/Assurance Program. Available at
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Business-Continuity-Management-Audit-Assurance-Program.aspx (15/09/2016)

Martin-Vegue, T. (2015). What's the difference between a vulnerability scan, penetration test and a risk analysis? Available at http://www.csoonline.com/article/2921148/network-security/whats-the-difference-between-a-vulnerability-scan-penetration-test-and-a-risk-analysis.html (15/09/2016)

Rajaji, V. (2016). The New Rules of Penetration Testing. Available at https://blog.coresecurity.com/2016/08/09/the-new-rules-of-penetration-testing/ (15/09/2016)

Risk Management. Available at https://www.performanta.co.za/risk-management/ (15/09/2016)

Scheid, J. (2013). Risk Management - Prioritizing Risk. Available at http://www.brighthubpm.com/risk-management/34628-risk-management-prioritizing-risk/ (15/09/2016)

SecureWorks (2015). Vulnerability Assessments Versus Penetration Tests. Available at https://www.secureworks.com/blog/vulnerability-assessments-versus-penetration-tests (15/09/2016)

searchsecurity.techtarget.com. How to hone an effective vulnerability management program. Available at http://searchsecurity.techtarget.com/essentialguide/How-to-hone-an-effective-vulnerability-management-program (15/09/2016)

Varela, J. (2016). Tips to Use Penetration Testing to Protect Your Business from Cyber Attacks. Available at https://appdevelopermagazine.com/3947/2016/5/12/Tips-to-Use-Penetration-Testing-to-Protect-Your-Business-From-Cyber-Attacks/ (15/09/2016)

veracode.com. Vulnerability Assessment and Penetration Testing. Available at https://www.veracode.com/security/vulnerability-assessment-and-penetration-testing (15/09/2016)

Viegas, G. (2016). How to build a top-notch vulnerability management program. Available at http://www.csoonline.com/article/3027570/security/taking-the-vulnerability-management-program-from-good-to-great.html (15/09/2016)

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

In Figure 1 "Vulnerability Assessment and Penetration Testing" is used an image by Ken Teegardin

Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.