How-to guides

Combine Vulnerability Management with Security Pen Testing

Rhett | May 23, 2019

For an organization to be confident it must have a solid security posture, and for this, regular testing is key. Two types of testing are critical to assessing security posture – penetration testing and vulnerability scans.

In order to meet certain standards, such as PCI and HIPAA, both pen testing and vulnerability management are required activities. Although both are important, they have different objectives. Vulnerability scans,a key component of vulnerability management, look for known vulnerabilities on devices connected to the enterprise’s network, while a typical penetration test will try to determine if a weakness that is found can be exploited in its present state.

The Anatomy of a Pen Test

Although there are different types of pen testing scenarios, such as external, internal, blind, double-blind, and targeted testing, the process generally includes five stages:

  1. Defining and planning the scope, goals of the test followed by intelligence gathering and reconnaissance
  2. Scanning of the target’s resources using different scanning tools
  3. Using the results from the scan, attempts are made to exploit any vulnerabilities found
  4. The pen tester will then explore whether the vulnerability can be used as a pivot point to other devices on the network
  5. Results from the penetration test are compiled into a concise report to identify what was exploitable and the value of the exploited data

The penetration test is best performed by a third-party to maintain objectivity during the testing and analysis report. Although scanning tools do provide some automation, it’s far from an automated process. The person conducting the penetration test should be experienced in ethical hacking techniques, with the ability to create scripts and tweak testing settings based on the unique organizational environment.

These tests are time intensive and require highly skilled testers, which can make them costly. The scope of the test is usually defined by risk and the value of assets. Because of time and cost, attempting to exploit low-risk and low-value assets is not practical. Depending on the type of penetration test being conducted, there’s a possibility of causing an outage. All of these factors make penetration testing an event that will typically be scheduled only once or twice a year.

Most importantly, after the pent test is complete, the time comes to making decisions on how to resolve the issues discovered. For example, firewall configurations might need to be updated or patches issued.

Create a Secure Enterprise by Combining Penetration Testing and Vulnerability Management

Though pen tests take place infrequently, managing vulnerabilities frequently and consistently is critical. This is where vulnerability management comes into play. Vulnerability management is the continuous process of identifying, classifying, prioritizing, remediating vulnerabilities and it plays a crucial part in the cyber hygiene lifecycle. A good vulnerability management plan should start with an initial assessment of identifying assets and defining risk and critical value of the assets. It’s also a good idea to define a system baseline of the various device types on the network, such as what ports should be open, what services should be running, and what software should be installed.

As part of the vulnerability management process, security teams need to scan their system for vulnerabilities on an enterprise-wide scale. All types of devices are scanned, from firewalls, routers, and switches, to servers and applications. Vulnerability scanning doesn’t attempt to exploit vulnerabilities but rather identifies them.

When performing a vulnerability scan, take advantage of third-party plugins to enhance the results of the scan. For example, Dectify has a built-in subdomain monitoring function that will continuously analyze any hostile attacks, providing you with summaries and reports.  Depending on company policy or the size of the network, the scan can be done all at once or it may need to be done in segments. The vulnerability scan will provide systems and security administrators information on missing patches, outdated protocols and certificates on each asset scanned.

The results of the scan should be used to plan remediation activities that will prevent hackers from exploiting vulnerabilities. These vulnerability scans and remediation activities should be repeated regularly and continuously throughout the year. According to the Center for Internet Security (CIS), continuous vulnerability management is a key basic control for cybersecurity best practices. Control #3 of their 20 Foundational Security Controls calls for the user to “continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.”

Because the vulnerability management process occurs frequently, ideally continuously, and has a wider scope than pen testing, it is likely to discover more vulnerabilities within the enterprise than a pen test. The cost of a vulnerability scan is also low compared to a pen test, which makes it a more cost-effective function as well. What’s more, vulnerability management is highly attuned to the specific context in which the vulnerabilities exist, with the ability to determine the threat level to your specific IT environment.

Tools like Vulcan’s unique remediation platform can enhance the vulnerability management process to be even more effective and efficient by orchestrating and automating the response process, saving valuable time for security teams. With Vulcan you can manage both vulnerabilities scans and carry out pen testing, helping your organization implement a mature vulnerability management process and build a solid security posture.

To find out more about improving your cyber security posture through continuous vulnerability monitoring and remediation, contact us to schedule a consultation.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy