By Ammrish Singh, Associate Security Consultant – FIRMUS
Penetration Testing (pentest) is not a one-time activity. Penetration testing should be performed regularly (at least once a year) to ensure more consistent IT and network security management by revealing how newly discovered threats or emerging vulnerabilities might be exploited by malicious threat actors.
Any organisation can experience cyberattacks, including small and medium-sized enterprises, as they are an attractive target for cybercriminals. This is because they usually lack cybersecurity precautions or a dedicated cyber security team as compared to a larger organization. 43% of all cyberattacks target small and medium-sized enterprises, and the consequences of these breaches can be extremely costly, from loss of productivity to company reputation. 60% of all small and medium-sized enterprises are the victims of a data breach that pushes them to permanently close their doors within six months of the attack. Many businesses feel “too small” to be affected by a cyber incident. This is also known as the “It-Cannot-Happen-To-Me” syndrome.
There isn’t one good answer, as it is to be determined according to the organization’s priorities. On one hand, conducting a penetration test on the pre-production environment is interesting, as it is very similar to the production environment, and the tests will not affect the services used by the users. For that reason, there might be fewer restrictions for the test as some vulnerabilities might be further exploited. For instance, there is no repercussion on the production system.
On the other hand, performing penetration testing in a production environment enables the tester to test the vulnerabilities of the same target that is available to users and potential threat actors. It can also validate the security ecosystem the organisation has set up to protect its assets from external threat actors, which can further be used to enhance if required.
Confidential information that FIRMUS might encounter during a pentest is neither collected nor stored. The relevant screenshots will be taken to prove the existence of the vulnerability and impact which will be included in the report.
Yes. The possibility of having an independent, external entity evaluate security procedures and readiness can be practical and eliminate the problem of possible complacency (even involuntary) of in-house teams. This is also an advantage as the internal team can gain new knowledge of the tactics and techniques used by the 3rd party consultants in performing a penetration test.
Vulnerability Assessment
Vulnerability Assessment can be applied to servers, workstations, mobile applications, web applications, databases, or any possible IT asset. However, keep in mind that a vulnerability assessment only conducts an automated scan, and no human interaction is involved to mimic an attacker.
Automated scans may contain some false positives, but due to current technological advancements, it is safe to say that 80-90% of findings discovered by scanners are valid. Because scanners primarily use signature-based detection, they may or may not be able to further analyze the findings that they discovered. Thus, the analyst who reviews the findings should know the techniques of verifying and classifying if the vulnerability is valid or false positive.
Vulnerability assessment mainly focuses on weaknesses of the assets, such as OS patches, misconfiguration of commonly used software/applications, default configuration such as default password in use, version detection, outdated packages used in the assets, etc. These vulnerabilities are often related to a CVE (Common Vulnerabilities and Exposure) which tags certain vulnerabilities with a code from which the scanners get the signatures.
FIRMUS will use the Common Vulnerability Scoring System (CVSS). It is the most widely used vulnerability scoring method and can be obtained freely at https://www.first.org/cvss/calculator/3.1.
FIRMUS will not remediate the vulnerabilities found but will offer remediation guides and assistance.
