What is vulnerability management?

Vulnerability management is the ongoing, regular process of identifying, assessing, reporting on, managing and remediating security vulnerabilities across endpoints, workloads and systems.

Because organizations potentially have many cybersecurity vulnerabilities within their IT environment, a strong vulnerability management program uses threat intelligence and knowledge of IT and business operations to prioritize risks and address cybersecurity vulnerabilities as quickly as possible.

What to Look for in a Vulnerability Management Solution

Managing exposure to known cybersecurity vulnerabilities is the primary responsibility of a vulnerability manager. Although vulnerability management involves more than simply running a scanning tool, a high-quality vulnerability tool or toolset can dramatically improve the implementation and ongoing success of a vulnerability management program.

The market is filled with options and solutions, each claiming leading qualities. When evaluating a vulnerability management solution, keep these things in mind:

Timeliness is important: If a vulnerability management tool fails to detect vulnerabilities in a timely manner, then the tool isn’t very useful and doesn’t contribute to overall protection. This is where network-based scanners often fail. It can take a long time to complete a scan and consume a large portion of your organization’s valuable bandwidth only to produce immediately outdated information. It’s better to choose a solution that relies on a lightweight agent rather than on a network.

Performance impact on an endpoint is key: Increasingly, vulnerability scanning vendors claim to offer agent-based solutions. Unfortunately, most of these agents are so bulky that they dramatically impact an endpoint’s performance. Therefore, when searching for an agent-based tool, look for one with a lightweight agent — one that consumes very little space on an endpoint to minimize any effect on productivity.

Real-time, comprehensive visibility is critical: You should be able to see what’s vulnerable in an instant. Legacy vulnerability tools can hinder visibility — network scans take a long time and provide outdated results, bloated agents slow business productivity, and bulky reports do little to help address security vulnerabilities in a timely manner.

Less is more: Organizations no longer need a complicated set of security tools and solutions that require personnel with specialized skills. Instead, many now rely on an integrated platform that includes vulnerability management tools along with other security tools for cyber hygiene, endpoint detection and response, device control and more — ultimately protecting your organization from attack due to unprotected systems.

What is Penetration Testing?

Penetration testing, sometimes referred to as pen testing or ethical hacking, is the simulation of real-world cyber attack in order to test an organization’s cybersecurity capabilities and expose vulnerabilities. While some might consider pen tests as just a vulnerability scan meant to check the box on a compliance requirement, the exercise should actually be much more.

The purpose of pen testing is not just to test your environment’s vulnerabilities, but to test your people and processes against likely threats to your organization as well. Knowing which adversaries are more likely to target you allows a penetration tester to mimic the specific tactics, techniques, and procedures (TTPs) of those specific adversaries – giving an organization a much more realistic idea of how a breach might occur.

Penetration Testing Steps

In most cases a penetration test will follow the steps laid out in the MITRE ATT&CK framework. If you’re not familiar with the MITRE framework, it is a knowledge base of known adversarial tactics, techniques, and procedures that occur along various phases of a breach’s life cycle.

Following this framework offers a way for pen testers to create a model for a specific adversary’s behavior, thereby allowing them to more accurately mimic the attack during the test. Currently, there are twelve tactics along the Mitre Enterprise matrix:

1. Initial access tactic refers to the vectors hackers exploit to access an environment

2. Execution refers to the techniques used to execute the adversary’s code after gaining access to the environment

3. Persistence tactics are actions that allow attackers to maintain presence in a network

4. Privilege escalation refers to the actions taken by an adversary to gain higher access into a system

5. Defense evasion tactics are techniques used by penetrators that allow them to go unnoticed by a system’s defenses.

6. Credential access refers to techniques used to obtain credentials from users or admins

7. Discovery refers to the learning process through which adversaries better understand the system and the access they currently possess

8. Lateral movement is used by adversaries to obtain remote system access and control

9. Collection tactics are those that are used by attackers for gathering targeted data

10. Command and control are tactics used to establish communication between the compromised network and the controlled system

11. Exfiltration are the actions adversaries take to remove sensitive data from the system

12. Impact tactics are those that are meant to affect a business’s operations

It’s important to note that the above tactics used in a pen test are dependent on the tactics of the adversary being mimicked.

Types of Penetration Testing

When considering to conduct a pen test, it’s important to remember that there is not a one-size-fits-all test. Environments, industry risks, and adversaries are different from one organization to the next. Furthermore, there isn’t just one type of pen test that will serve all the needs of an organization.

There are several types of pen tests that are designed to meet the specific goals and threat profile of an organization. Below are some of the most common types of pen tests.

1. Internal Pen Testing Assesses your organization’s internal systems to determine how an attacker could move laterally throughout your network: The test includes system identification, enumeration, vulnerability discovery, exploitation, privilege escalation, lateral movement, and objectives.

2. External Pen Testing Assesses your Internet-facing systems to determine if there are exploitable vulnerabilities that expose data or unauthorized access to the outside world: The test includes system identification, enumeration, vulnerability discovery, and exploitation.

3. Web Application Pen Test Evaluates your web application using a three-phase process: First is reconnaissance, where the team discovers information such as the operating system, services and resources in use. Second is the discovery phase, where the team attempts to identify vulnerabilities. Third is the exploitation phase, where the team leverages the discovered vulnerabilities to gain unauthorized access to sensitive data.

4. Insider Threat Pen Test Identifies the risks and vulnerabilities that can expose your sensitive internal resources and assets to those without authorization: The team assesses weaknesses such as deauthentication attacks, misconfigurations, session reuse, and unauthorized wireless devices.

5. Wireless Pen Testing Identifies the risks and vulnerabilities associated with your wireless network: The team assesses weaknesses such as deauth attacks, mis-configurations, session reuse, and unauthorized wireless devices.

6. Physical Pen Testing Identifies the risks and vulnerabilities to your physical security in an effort to gain access to a corporate computer system: The team assesses weaknesses such as social engineering, tail-gating, badge cloning and other physical security objectives.

When Should You Conduct a Penetration Test?

The most important time to conduct a pen test is before a breach occurs. Many organizations don’t make the effort until after they’ve been successfully attacked — when they’ve already lost data, intellectual property and reputation. However, if you have experience a breach, a post breach remediation pentest should be conducted to ensure mitigations are effective.

Best practices suggest conducting a pen test alternatively while the system is in development or installed, and right before it’s put into production. The dangers of running a pen test too late are that updated to the code are most costly and code change windows are usually smaller.

Pen tests are not a one-and-done proposition. They should be conducted whenever changes are made and/or at least annually. Factors including company size, infrastructure, budget, regulatory requirements, and emerging threats will determine the appropriate frequency.

We at Arise Falcon work with threat intelligence in real time to provide Vulnerability assessment and penetration testing. Click here to Contact us for Free Quote.