Regular vulnerability assessments, penetration testing, and social engineering testing are fundamental to good security

The process of vulnerability assessment is an in-depth evaluation of an organization's cybersecurity infrastructure, which includes networks, systems, hardware, software, and other information technology. The purpose is to identify vulnerabilities in these areas in order to prioritize and remediate them. Remediation prevents cybercriminals from exploiting an organization’s weaknesses to steal sensitive data and other digital assets. 

Most security-related regulations require annual risk assessments, which include vulnerability assessments. Some, such as the Payment Card Industry Data Security Standard, require vulnerability assessments to be performed quarterly to ensure optimum security.

Three Categories of Vulnerabilities

Vulnerabilities can be present in an organization in physical form, digital or electronic form, and social form. Following are a few examples in each category.

• Physical vulnerabilities. Examples of physical vulnerabilities would be a hospital whose employees have left passwords to confidential information lying on a countertop or displayed openly on a computer monitor. Or company employees leaving an exterior door cracked open to avoid having to use their access cards when stepping out on break. Or an organization whose employees allow unfamiliar individuals to piggy-back on their keycard access to an entrance door.
• Digital vulnerabilities. Electronic or digital vulnerabilities may take the form of an outdated firewall or other infrastructure that becomes less and less secure over time. Poor password policies, and unpatched software are other examples, along with losing a USB drive, tablet, or other digital device containing company information. Another example would be an employee sending a sensitive email to the wrong individual by mistake.
• Social vulnerabilities. These consist of human weaknesses that enable hackers to socially engineer or “phish” their targets. For example, a hacker may employ false pretenses to manipulate a targeted employee, spoofing a legitimate source in an email. Think back a few years to the phony emails from DHL urging targeted employees to click the link provided to track the wayward package. In most cases, hackers take advantage of human vulnerabilities to obtain credentials to access sensitive information they can sell or exploit.

What a Vulnerability Assessment May Include

Vulnerability assessments may include different activities depending on their frequency or specific purpose. They can be customized to suit a variety of needs. When planning a vulnerability assessment, it is important to understand the variables that influence the scope of a given assessment.

Typically, vulnerability assessments include the following services.

• External and internal vulnerability scans

• In-depth penetration testing

• Social engineering testing, including phishing testing

• Physical security testing

• On-site or remote assessment and testing

Penetration Testing: Benefits for Your Organization

Any organization can benefit from regular penetration testing as part of their scheduled vulnerability assessments. Below are four advantages of pen tests specifically.

Human Engagement. Penetration testers perform as ethical hackers. Emulating cybercriminals, they try to penetrate your defenses, finding ways into your network by exploiting security gaps they discover. Due to the nature of their work, they acquire a unique view of your organization’s IT safeguards that routine, automated vulnerability scans cannot.

Range of Resources. Modern scanning tools can detect myriad vulnerabilities in known systems but may overlook vulnerabilities that are specific to a business. A skilled pen tester uses a range of automated tools and enhances them with real-world experience and training to achieve a complete look at your unique organization and its vulnerabilities.

Expertise and Experience. Security weaknesses can be greater than the sum of their parts when exploited in a particular sequence by a savvy attacker. An experienced pen tester has the human ability to connect the dots and to understand individual vulnerabilities in a larger context.

Detailed, Actionable Report of Findings. The product of any professional penetration testing is a report of findings and recommendations for remediating those weaknesses. Automated scanning tools may point out certain general solutions, but a report written by an experienced pen tester will describe remedial actions your organization can take to address each specific security issue.

In addition to these important benefits, penetration testing is available in several categories, as described below.

Types of Penetration Testing Available

Internal and External Testing. Penetration testing includes internal and external testing. External penetration testing targets assets that are visible on the Internet (such as DNS, email, or company website), while internal penetration testing concentrates on the local area network or LAN and various intelligent devices connected to it. Internal testing has the advantage of helping to detect malicious or negligent insider activities as well as evidence of criminal hackers who may have embedded in the network.

White, Black, and Gray Box Testing. Penetration tests can also be classified according to (1) how much organizational information is shared with the pen tester at the outset of the assignment, and (2) the level of access the pen tester is granted in order to conduct the testing. These classifications are known as white, black, or gray box testing (or substitute the word hat for box), and all three have upsides and downsides.

• White box testing refers to the granting of full access to conduct the pen test, and the sharing of complete network and system architecture documentation, network maps, source code, user roles, and any other documentation that may be useful in planning the pen test and analyzing the findings.
• In black box testing, the pen tester behaves like a typical hacker in that he or she has no deep knowledge of the network to be tested. Only the documentation that is publicly available (such as user manuals or vendor software documentation) is shared with the pen tester. It is probably the most realistic of the three testing scenarios since most hackers have no knowledge of the inner workings of a network as they plan their attack on it.
• As the name implies, gray box testing is a hybrid that blends the best elements of white and black box testing to achieve actionable results in optimal time. Gray box testers usually have some degree of internal network knowledge, including a current network map or system architecture documentation, and have been granted internal access to the network.

Learn more about the details of various types of penetration testing so that you can determine which are right for your organization. The National Institute of Standards and Technology also offers guidance on penetration testing.

Social Engineering Testing

With the continuing popularity of phishing schemes among cybercriminals, it’s vital to include social engineering testing as part of your overall vulnerability assessment.

The adage that a chain is only as strong as its weakest link simply means that the most vulnerable part of a system (or program, or team) can bring down the entire structure, whether a computer network, an individual PC, or a corporate department. Even a strong security posture can be breached by a hacker or scammer determined to find and exploit the weakest link. The concept of low-hanging fruit is similar—describing the tendency among many cybercriminals to go after the easiest targets, to steal the most poorly protected data or digital assets.

The purpose of social engineering testing is to determine how vulnerable your employees are to phishing schemes and similar techniques that attack the human link in the security chain. To that end, testing uses different techniques to mimic various social engineering schemes. Some examples include:

• Using in-person social engineering attempts to gain access to secure business areas in your building or offices.
• Conducting vishing, phishing, and smishing exercises, as well as in-person attempts, to obtain private or proprietary information.
• Performing spear phishing attacks that target specific employees, and whaling attacks that target members of management.

After testing employee and management vulnerability to social engineering, a crucial element of strengthening the human link is cybersecurity awareness training. Training helps employees to understand why it is important to protect business assets, including data, and to recognize the various social engineering schemes employed by cybercriminals. Training also instructs them in actions they should take if they suspect something is not quite right.

Like penetration testing, social engineering testing is enormously beneficial to organizations in pinpointing weaknesses in security defenses and enabling them to be addressed. Other elements of vulnerability assessments are also important in taking a complete look at an organization’s security weaknesses.

Summary

Vulnerability assessments are in-depth evaluations of an organization's cybersecurity infrastructure, which includes networks, systems, hardware, software, and other information technology. The purpose is to identify vulnerabilities and remediate them to prevent cybercriminals from exploiting weaknesses to steal sensitive data and other digital assets. 

Most security-related regulations require annual security risk assessments, which include vulnerability assessments. Key components of vulnerability assessments are penetration testing and social engineering testing. These services can be tailored to an organization based on test frequency and security needs. If it’s been too long since your last assessment, contact us to schedule one.