IT professionals have many responsibilities, but one of the most important is to protect the organization’s equipment, networks and data from malicious parties. Breaches and intrusions — even little ones — can jeopardize user information and compromise the integral systems you need to operate your organization.
The Ponemon Institute’s 2016 Cost of Data Breach Study for the United States says that the average data breach costs an organization $7 million, and the cost for each stolen or lost record is $221. These numbers are on the rise. The figures exclude the massive breaches that dominate the news; researchers felt these major incidents, which are relatively rare and not representative, would skew the data.
While it’s never possible to entirely remove all risk from IT, there are two methods for ensuring your network is as secure as possible. The first, vulnerability assessment, focuses on evaluating your current systems, including hardware and processes, to look for weak areas. The second, penetration testing, basically invites third parties — who are working on your side — to attempt to infiltrate your systems.
Many people are tempted to lump vulnerability assessments and penetration testing together, but they are very different in their approaches and methodologies. Neither approach can be ignored: They are required for nearly every organization through a wide spectrum of legislation and industry associations, including HIPAA (the Health Insurance Portability and Accountability Act) and PCI DSS (the Payment Card Industry Data Security Standard).
Vulnerability tests are designed to help your organization pinpoint areas of weakness. The process is typically automated; off-the-shelf software is designed to scour existing networks for the most common types of vulnerabilities. Software tools include Nessus, SAINT, OpenVAS and Kikto.
The output of a vulnerability assessment is a high-level report that details not just where the weaknesses are, but also how much risk is associated with each deficiency. This information must be quantifiable, useful and actionable.
Vulnerability assessments require what is called a “white box” approach. That means that the team performing the assessment — whether done internally or through a third party — requires the full cooperation of the organization.
Experts suggest that organizations conduct vulnerability assessments as frequently as possible. In fact, continuous vulnerability assessments are considered a best practice.
Vulnerability testing can be coordinated either by the organization’s internal IT function, or through a third party. Both approaches have their advantages. An internal IT team will become more familiar with their systems and networks by performing the assessments, but an external party might have more up-to-date information on vulnerabilities currently being exploited.
One of the issues related to vulnerability testing is that by the time a weakness has been identified and programmed into the automated testing software, some hackers will already be aware of it and will have moved on to find other potential weaknesses.
While a vulnerability assessment looks for where the weaknesses might be in IT, penetration testing is concerned with all the ways malicious parties might be able to break in. The malicious parties can be people attacking the network from outside, or internal agents looking to steal information or disrupt operations. Even accidents can cause damage — user error can cause serious damage.
In a penetration test, a team — typically a third party — attempts to hack into the organization’s network using both virtual attacks (through the Internet) or physical attacks (obtaining employee laptops or using USB keys).
Unlike a vulnerability assessment, penetration tests can be done periodically. Some experts say once a year is adequate, but certain organizations might require them more frequently because of government or industry rules.
While elements of penetration testing can be automated, the best testers write their own code to try to exploit and breach systems. And penetration testers can’t ignore low-tech methods for breaking into systems, such as phishing emails.
Penetration testing can take either a “white box” or “black box” approach. With the black box approach, the testers have no insight into the organization’s current security processes, technology and safeguards. This puts them in roughly the same position as malicious parties trying to hack into the system.
The Risk Element
Some experts recommend bringing risk experts into the performance and analysis of both vulnerability assessments and penetration testing. This professional requires a background not just in IT, but also in probability, statistics, risk management and finance.
A comprehensive risk analysis can help organizations prioritize tasks and determine if some risks are so low they don’t require immediate attention.