Three Ways to Validate Security Within Your Organization
BY LUKE DONALD
Your senior management has meticulously monitored the organization’s risks in the register. Your IT team has worked tirelessly, patching systems and updating configurations. Your users can spot spam from a mile away. What should you do to validate all your hard work? The information security industry has three common answers: vulnerability scans, penetration tests, or red team engagements. Picking the right one for your organization often comes down to the maturity level of your organization’s security program.
Vulnerability scans leverage automated tools to interrogate all the network-attached devices belonging to your organization from the perspective of an attacker. These scans answer the questions: what services are running, and are there any publicly known vulnerabilities associated with those services? In most cases, the vulnerabilities found are not exploited or chained together. Vulnerability scans tend to be quick and cost effective, however the output of these scans can be long and sometimes difficult to comprehend. Accurately sifting through the results to weed out false positives and decide whether to remediate or accept a risk usually requires some training. It is an excellent way to validate your patch management program’s effectiveness.
Where vulnerability scans will give you insight into whether specific hosts have vulnerabilities, penetration tests will help reveal vulnerabilities between systems, people, and processes, and will almost always include a vulnerability scan. During testing, penetration testers will validate and prioritize the risks found in the vulnerability scan. Your users will often be in scope of these engagements and will receive emails or phone calls to elicit sensitive information or execute software on their endpoints. Penetration testers will find passwords left in text documents, attempt to intercept network traffic, and chain multiple vulnerabilities together to take over networks. This form of testing aims to test as many security controls as possible in a short amount of time. They are far from silent or sneaky, as the tests will often generate a lot of alerts. Because of this, penetration tests may be inadequate to gage an organization’s detection and response capabilities. The results from a penetration test will include a wide variety of “findings”, tailored and prioritized for your organization’s needs. These reports can serve as a roadmap to improving your organization’s security posture. Penetration tests are more expensive than vulnerability scans, but are in high demand because they include so much more information than vulnerability scans.
After testing systems with vulnerability scans and penetration testing, your organization’s defenses are pretty decent now; but what happens if a malicious attacker sneaks by your defenses? Can you detect them, and how will your security team respond? Where penetration testing aims to broadly test a wide number of security controls in an organization, red teaming aims to test an organization’s ability to detect and respond to attacks. Red team engagements attempt to simulate a malicious attack, often with a specific goal of obtaining an administrator’s credentials, gaining access to a particular file server, or even gaining access to a bank account. Red teams will interact with your organization’s systems and people as little as possible to avoid detection. This type of testing is the most expensive option and often only useful to organizations who have a mature information security program with dedicated security analysts. Red team assessments will help organizations fine tune their detective tools such as SIEM. MDR, and NDR, refine and train SOC staff, and further develop the organization’s incident response plans.
Validation testing, penetration testing, and red team engagements are all so different, but can be very useful in validating your organization’s security. For more information, reach out to SixGen’s team here.