To identify, address and manage potential issues facing the business, IT departments perform thorough risk assessments that allow them to prevent technical failures, malicious attacks and legal problems related to loss of privacy of data and transactions. A good risk assessment helps devise plans to quickly recover from attacks and system downtime while improving an organization’s’ security strategy. Risk management is an ongoing requirement for businesses of all sizes. Organizations must consider a variety of threats when developing a risk management plan, including external vectors of attacks, natural calamities or internal threats like system failure and user error. They also need to plan for regular reviews of their security posture and of their contingency plans. A vital component of any risk management effort is an efficient security assessment program that allows for identification of issues that might pose a threat to the organization. This allows for identification of related risks and assessment of their impact. Following this approach, vulnerabilities, threats or faulty policies and procedures can be discovered early, making sure the IT architecture is safe and sound. Many vulnerabilities are due to weaknesses in the actual IT infrastructure (e.g., a software flaw or hardware malfunction). To find these issues, companies can use a variety of tools and techniques: vulnerability scanning, network discovery, or performing security testing (e.g., Burp Suite Free Edition with SoapUI to fuzz different parameters). However, technical issues are not the only ones a company needs to address. Vulnerabilities can also be created by inadequate or outdated policies, failing internal controls, lack of specific user training, inefficient backup plans and a pattern of exploits. Therefore, to counteract the wits of malicious hackers and their many intrusion techniques, a good security assessment program needs to employ the use of IT teams that can apply technical skills and creativity to discover flaws in the company security posture. These can be ethical hackers or pentesters who can not only assess the defenses put in place but also uncover the resilience of the company’s staff to social engineering attempts. A thorough security assessment should first concentrate on technical weaknesses; it can begin with any paper record consisting of a plan (scheduling audits and reviews) to identify gaps or issues in policies and procedures. Then, a variety of software and hardware devices can be applied, such as vulnerability, wireless, and Bluetooth scanners; password discovery programs; and network discovery and configuration review tools. To further test technical configurations and the IT architecture, human-based techniques like pentesting can be added to devise ever-changing attack strategies and make use of methods that target the user, like phishing or spearphishing. Vulnerability scanning during the security assessment is performed using automated tools; it can be regularly scheduled, automatically activated and initiated by IT security professionals manually when needed. Scanning tools comb through all systems and networks to identify vulnerabilities and return reports that highlight all potential issues. As NIST Special Publication 800-115 reports, “the system’s behaviors and outputs in response to attack patterns submitted by the scanner are compared against those that characterize the signatures of known vulnerabilities, and the tool reports any matches that are found. Besides signature-based scanning, some vulnerability scanners attempt to simulate the reconnaissance attack patterns used to probe for exposed, exploitable vulnerabilities, and report the vulnerabilities found when these techniques are successful.” This security assessment methodology is inexpensive and is commonly applied by businesses of all sizes. However, by itself, it might be inadequate. Complex patterns of attacks exploiting several vulnerabilities might not be immediately recognized by scanners or IT professionals reviewing the lengthy reports that they produce. Vulnerability checks also only identify issues and are unable to apply patches or remediation solutions automatically. Scanners rely heavily on the ability of the IT professionals to sift through information in the reports and determine if corrective measures are necessary. Scanning tools are a somewhat passive security assessment measure. To counteract hackers’ attack mechanisms, it is crucial to apply active methods to protect assets. A great way is for companies to utilize the services of ethical hacking and penetration testers. Pentesting or other ethical hacking techniques look for vulnerabilities by using a variety of (often less traditional) methods. Their work is especially important when utilized in a subsequent stage, to test a system that has been hardened. The concerted attempts of these professionals can test the systems to see if they can withstand a realistic attack. Ethical hackers and pentesters can discover vulnerabilities beyond the capabilities of any automated tools. They can uncover more of the infrastructure’s critical weaknesses, as well as highlight gaps in end-user security awareness. Different types of approaches can be used according to the needs of the company. For example, a team of pentesters could do the task from within the organization after being granted user-level access to the systems. This approach would help discover vulnerabilities and potential threats from trusted insiders who already have some privileges in the network. Pentesters intruding the system from outside the perimeter can test with surprise attacks and maneuvers to circumvent firewalls, antivirus and antimalware. They can also challenge employees’ resilience through social engineering techniques. In these cases, pentesters work together with existing IT staff that are aware of the testing in progress (white-hat hacking). However, covert testing (black-hat hacking) is also a possibility for management to explore as part of their security assessment program and to test the readiness of IT personnel. The importance of good security professionals with the right pentesting and ethical hacking skills is obvious for companies that want to implement truly thorough security assessment programs in support of their risk management efforts. Moreover, as more and more companies must employ professionals to test their systems routinely, it becomes essential for IT practitioners to acquire sound hacking skills. Ethical hackers as well as pentesters can come from different walks of life. Much of their knowledge is learned on-the-job and through trial and error, although an information systems formal degree is normally part of their background. However, there are programs that are available and can guide students towards acquiring and applying the right knowledge to test systems for security. InfoSec Institute, for example, offers a number of valuable courses including an Ethical Hacking Boot Camp with lectures and hands-on labs. Instructors are recognized experts with proven industry experience. The focus of the course is to teach students how to use the same techniques employed by black-hat hackers for white-hat, ethical hacking. Also, the course covers threat assessment and measurement and how to discover vulnerabilities. The knowledge acquired from the program can help students earn two certifications: the EC-Council Certified Ethical Hacker and the Rapid7 Metasploit Pro Certified Specialist. Risk management is an essential function for any company that relies on IT infrastructure to support their mission. An analysis of the real risks facing an organization is only possible after the identification of threats and vulnerabilities, and how they can be exploited to access information. Only then can a company can evaluate how to manage their risks better and how much to invest in mitigation. A through security assessment is an essential starting point to provide the basis for a meaningful security audit. Results and findings can be used to evaluate the impact of all resulting measures on the overall security posture of the organization. A single security assessment technique cannot give companies a complete picture of how resilient their IT infrastructure is. Therefore, applying multiple tools and methods is always the appropriate approach. Scanning tools for automated discovery and the use of ethical hacking professionals to simulate real-world attacks can paint a complete picture and help organizations make cost-effective decisions to protect their digital assets. Glover, G. (2015). Pentesting vs. Vulnerability Scanning: What’s the Difference? Retrieved from http://blog.securitymetrics.com/2015/05/pentesting-vs-vulnerability-scanning.html Kostadinov, D. (2016, June 10). Ethical Hacking vs. Penetration Testing. Retrieved from /ethical-hacking-vs-penetration-testing/ Martin-Vegue, T. (2015, May 13). What’s the difference between a vulnerability scan, penetration test and a risk analysis? Retrieved from https://www.csoonline.com/article/2921148/security/whats-the-difference-between-a-vulnerability-scan-penetration-test-and-a-risk-analysis.html National Institute of Standards and Technology. (2008, September). Technical Guide to Information Security Testing and Assessment. NIST Special Publication 800-115, 80 pages. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf
