All businesses who deal with proprietary or sensitive data rates cybersecurity as a significant concern, and hear about “penetration testing”, “vulnerability scanning”, and security “assessments”. What the heck does it all mean and how can it affect your business? And how can you tell you are making progress in your cyber efforts?

Assessments

“Assessments” cover a variety of areas which are important to evaluating the state of cybersecurity of an organization. Security related assessments effectively may be carried out by the business or by a third party…they will use an existing cybersecurity framework which provides structure to the study. Each “section” of the assessment evaluates a different subject area…as an example, external connections (covering VPN, remote access, etc.) will work to identify any external connections from the Internet into a business’ data wherever it resides.

After all external connections are identified, then the framework may mandate identification of all means of authenticating users (i.e. VPN user accounts and whether these require multifactor authentication, Active Directory user accounts, time-of-day restrictions, etc.).

Assessments then go on to compare the findings against the framework’s ideal results, and with mis-alignments then the evaluators will make recommendations for remediations to be performed. The evaluator will work with the business to set timeframes for each remediation based upon the amount of business risk which is perceived for that specific shortcoming. As an example ANY VPN connection which were permitted without the use of multifactor authentication (MFA) would be perceived as a much higher risk than internal logins which were performed without MFA, and thus need to be remediated sooner.

An important facet of any assessments is that they be dated and signed by the evaluator, and their submittal to the management team must be properly documented. The assessments become a tool which over time are designed to prioritize remediation efforts, which become critical in the face of any future audit.

Vulnerability Scanning

Vulnerability scanning involves the use of tools by the business or a third-party which are tied to specific cybersecurity frameworks, or are tied to or supported by an agency such as National Institute of Standards and Technology (NIST). The SCC tool (SCAP Compliance Checker) is an example of such a tool.

Vulnerability scanning when configured properly uses a documented ideal standard and works to compare the settings and policies in use on a specific device (or group of devices) and grade the differences. The tool is run on the operating systems in a business (on servers and workstations), then identifies for each operating system security policy setting the “ideal” (and why), the current setting, and generally will note specifically how to correct the differences.

Unlike an assessment the vulnerability scanning will typically assess a numeric score as a percentage of “ideal”, which allows for easy tracking of the vulnerability scores over time. In addition, with well-supported vulnerability scanning tools such as SCAP, each vulnerability description provides references to the published vulnerability noted on an operating system. Importantly this allows the security team to make decisions as to how much of a risk each vulnerability may be compared to any potential negative impacts a ‘fix’ might have on software or operations.

Penetration Testing

When mandated by either clients, insurance, or cybersecurity frameworks, penetration testing (aka pen testing) can be performed. Penetration testing differs from other evaluation methods in that:

• it is normally performed by a third party (not the business or the business’ IT consultant)

• it is intended to simulate an attacker having gained a foothold inside the network and looks for those issues which an attacker can take advantage of using many of the same techniques an attacker would use

• Most pen tests simulate attacks from the outside and attacks originating on the inside of the network

• the penetration test is performed carefully to minimize any opportunity for business disruption

The penetration testing provides documentation on detected weaknesses or successful exploits and provides recommendations on how to strengthen defenses.

The use of vulnerability scanning provides the business with actionable security intelligence which is important in hardening the computer operating systems in a business environment…this allows a remediation plan to be built based upon some of the most detailed information available regarding technical security policies.