Share what you know with millions of people
Focus is the best place to turn what you know into remarkable content
Penetration Testing or Security Assessment: Which is Best?
Introduction
Everyone needs a periodic check of their security posture. Here are some things to consider, especially if you have never undergone a security audit. There are two primary types of services. Sometimes they are confused. The first is a penetration test. The other is a full security assessment.
Analysis
Penetration test
A security firm is hired to act as if they were an outsider trying to break into your network and steal your data. The firm uses a security scanner to look for exposed vulnerabilities. They might use open source tools like Nessus or a commercial product like Core Trace. They check for IP addresses, open ports, and vulnerable versions of applications like Telnet, FTP, or mis-configurations in DNS servers. Once they know those they attempt to exploit the vulnerabilities to get it. The final delivery is usually a lengthy report on what they find and specific evidence that they broke in. They always succeed. While this is useful there are some drawbacks. A pen-test is not exhaustive. The consultant feels that they are done once they break in. If you want outside confirmation of how vulnerable you are a pen-test is a great way to learn that. You should immediately close all the holes they find. The trouble is that closing holes today is not a good protection against future vulnerabilities that may open up. The other problem is that the bad guys have moved on from this type of attack. Today they would rather trick one of your employees into visiting a malicious website or opening an email attachment that infects their desktop with a Trojan horse. Some pen-testers will do this as well. But all you learn is that your employees are your biggest vulnerability!
Security Assessment
A full-fledged security assessment is a far better investment than a penetration test. In this case the consultant comes in to your establishment (or several of your locations) and scans the network from the inside. They also run diagnostics on representative desktops, email servers, application servers, and data base servers. They will look at your business processes and controls. They will interview your IT staff and review your security policies. They analyze your firewall rules and any other security products you have. They look at your routers, switches, and Wi-fi devices to make sure your network is really what you think it is. Their final report can turn into a working remediation document and often the consultant will offer additional services to fix the issues they uncover.
Who should you call?
There are two classes of security test services: your local small firm of experts and the big consultancies. I usually recommend going with your local security firm. Both generally have very knowledgeable people with all sorts of certifications but the big firms (Deloitte, PwC, etc.) are far more expensive. If you are publicly traded or want to demonstrate to your board or customers that you have a clean bill of health a big firm might be the answer. But if your goal is to discover your security posture and develop a plan to get more secure your local firm is the better way to go.
Conclusion
Remember that a security assessment is just a first step. Getting and staying secure is a continuous process that requires continuous investment.
Top 100 security tools http://sectools.org/
Events
- Marketing Thought Leaders: A Conversation with Julia Fajgenbaum May 25 @ 11 am PT
- The Do’s and Don'ts of Small Business Marketing May 29 @ 11 am PT
4 Comments
It seems that your definition of a Security Assessment versus a Penetration Test is not really accurate.
A penetration step would include ALL of the steps of the security assessment but instead of simply reporting POTENTIAL vulnerability you go one step further and you attempt to validate by penetrating the remote target. This is the only way to know for sure if it is vulnerable or not.
Only about 10% of client will do Penetration Test most will choose a security assessment where their own staff will validate whether or not it is a true vulnerability.
Yes, Pen Testing include a capture the flag approach or sometimes the tester will drop a graphic or file on the system to prove their access. However, they do not stop at the first vulnerability, they would still complete the full test.
The rules of engagement will dictate what would be done.
Take care
Clement
http://www.professionalsecuritytesters.org
http://www.cccure.org
I assume you mean "vulnerability" assessment. I don't think it's an either/or proposition. A full security assessment often times include a vulnerability assessment AND a penetration test. The fact that a vulnerability exists does not necessarily mean it is exploitable, hence the penetration test.
Whether penetration test or vulnerability assessment (or both), we find it most helpful to take a risk-based approach to addressing the problem. Findings should be actionable and prioritized based on risk.
http://www.redspin.com
However, black box penetration testing is a labor-intensive activity and requires expertise to minimize the risk to targeted systems. At a minimum, it may slow the organization's networks response time due to network scanning and vulnerability scanning. Thanks.
Regards,
http://www.convurje.com/
Answer This Question