Penetration Testing
Vulnerability Assessment vs. Penetration Testing
It is important to understand what the test and how it differs from a vulnerability assessment and how the process differs from organisation to organisation.
The difference between Vulnerability Assessment and Penetration Test is often misunderstood and both can be important in preventing cyber criminals from breaking into your network.
A Vulnerability Assessment is a scan conducted by an automated tool that checks your systems for known vulnerabilities.
It does not take the additional step to explain what would happen if the vulnerability were exploited; the impact of a successful exploit; or if the vulnerability can be used to access and exploit another vulnerability.
To maintain a good information security, it is recommended to perform vulnerability scans regularly such. Any changes to your network equipment or new equipment that is deployed should be vulnerability scanned right away or even before deployed.
Vulnerability scans will detect missing patches, outdated services or protocols. Regular vulnerability scans are also key part to help defenders detect unauthorised changes in the network such as staff violating control policies.
Penetration Testing is more than just scanning, it is performed by a security professional that will take the additional steps to exploit the vulnerabilities to find out the extent of the impact an exploit could have.
For example, it can identify the impact of exploiting a vulnerability from outside of the network. Penetration testing will identify insecure business processes, weak security settings, transmission of essential information in an unencrypted manner such as passwords, discovery of old stored credentials that are still valid for use.
Penetration tests do not need to be performed as often as vulnerability assessments, but they should be conducted regularly. During a penetration test a security professional will simulate a real-world attack against your network, or against an agreed scope, to find out how serious the impact against the network can be.
A test report will be prepared to help to remediate the issues discovered.
Differences between security tests
Scoping
ABOUT ME
How is the Test Conducted?
Planning is the first critical step of the test to ensure the test is undertaken in a quality manner. During this step, the planning might involve one or more interactive sessions with the client to provide the necessary information that might be needed for the initial plan.
Next the testing is conducted at the arranged times and date where it will start with reconnaissance and scanning to identify the environment and technology in use.
This will lead to threat modelling and then vulnerability analysis where the plan evolves into prioritising what might present a bigger threat, and what might need more attention during the test.
This quickly evolves into the exploitation stage where everything is thoroughly tested. If a vulnerability can be exploited the impact of it all is documented in the last stage being a high-quality report for the client.
Prior to performing any penetration test, a scope definition exercise needs to be conducted. This is an interactive and collaborative session defining the goals, objectives, and expectations for the test. The session will define the most appropriate approach and resources to ensure all expectations for the engagement are met. During the scope definition, Cyber Strategies will guide the discussion to understand the technical and budgetary constraints that might take place from such a test.
The result will be a detailed statement of work that accurately defines:
-
The objectives of the test,
-
The methodologies and tests to be performed,
-
Detailed scope and boundaries,
-
Date and time frames for the test,
-
Fees and payment terms,
-
Assumptions,
-
Terms and conditions,
-
Report expectations.
This document is reviewed by both parties to answer any additional questions that might arise, make revisions where necessary and confirm that the document concisely reflects the expectations of the client.
Benefits
The service will provide knowledge that potentially exploitable vulnerabilities to your systems have been identified and practical remediations.
A full and detailed report will be provided, containing a high level written Executive Summary with included scope and detailed explanation of the discovered vulnerabilities and their impact.
Each identified vulnerability will have a risk rating, a CVSS score and through recommendations to help with the remediation process.
Pricing
The price of the service varies on the size of the scope and complexity of the environment being tested; the initial starting prices are as follows :-
