A Vulnerability Assessment (VA) is the process of identifying and quantifying security vulnerabilities in an environment. It is an in-depth evaluation of your information security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.
A Penetration Test (PT) simulates the actions of an external and/or internal cyber attacker that aims to breach the information security of the organization. Using many tools and techniques, the penetration tester (ethical hacker) attempts to exploit critical systems and gain access to sensitive data.
Difference between VA/PT
- Typically is general in scope and includes a large assessment.
- Predictable. ( I know when those darn Security guys scan us.)
- Unreliable at times and high rate of false positives. (I’ve got a banner)
- Vulnerability assessment invites debate among System Admins.
- Produces a report with mitigation guidelines and action items.
- Focused in scope and may include targeted attempts to exploit specific vectors (Both IT and Physical)
- Unpredictable by the recipient. (Don’t know the “how?” and “when?”)
- Highly accurate and reliable. (I’ve got root!)
- Penetration Testing = Proof of Concept against vulnerabilities.
- Produces a binary result: Either the team owned you, or they didn’t.
Why it’s important?
A company’s IT infrastructure is of paramount importance to every business irrespective of the industry as all of their digital resources are stored in them. With the resurgence of cyber attacks and rise of software vulnerabilities, BUsinesses need to secure their IT now more than ever. Vulnerability Assessment (VA) and Penetration Test (PT) helps ensure that networks and systems are protected from these potential threats before a malicious actor exploit them. In addition, Business operate as usual and customers are provided with comfort knowing their privacy and data are in secured hands.
Who need VA/PT
- Banks/Financial Institutions, Government Organizations, Online Vendors, or any organization processing and storing private information.
- Most certifications require or recommend that penetration tests be performed on a regular basis to ensure the security of the system.
- PCI Data Security Standard’s Section 11.3 requires organizations to perform application and penetration tests at least once a year.
- HIPAA Security Rule’s section 8 of the Administrative Safeguards requires security process audits, periodic vulnerability analysis and penetration testing.
Worldwide Market Size
By 2022 the market size of different regions are estimated to be:
- North America: $2.8 billion (CAGR 14.1%)
- Europe: $2.2 billion (CAGR 15.7%)
- Asia Pacific: $2.4 billion (CAGR 19.9%)
By KBV Research, the global Security Testing market is expected to attain a market size of $7.8 billion by 2022, growing at a CAGR of 16.5% during the forecast period.
VA/PT Reports for Management
Management is least bothered about what you did or how did you do it.
They are concerned about what is risk and how to mitigate it. Hence below points must be captured in the report.
- – Executive Summary for Strategic Direction
- – Walkthrough of Technical Risks
- – Potential Impact of Vulnerability
- – Multiple Vulnerability Remediation Options
- – Concluding Thoughts
Security Hygiene for everyone (Check your score)
1. Social Media Security
a. Do you have two factor authentication in Facebook?b. Have you setup legacy and trusted contacts in Facebook?
2. Laptop/Desktop Security
c. Do you use strong password in your workstation?d. Do you use non-admin accounts for daily use?e. Do you have a paid anti malware solution?
3. Banking Security
Do you use a different mail id for banking?Do you use a different strong password for banking?Do you always use bank sites on your personal laptop/desktop?Do you always clear the cache/history before and after using bank sites?
4. Data Security
j. Do you take weekly backup of your laptop in external drive?k. Is your hard drive encrypted and password protected?
5. Mobile Security
l. Do you use 6 digit pin or password in the mobile?m. Do you have app locks application?n. Do you have “find my phone” enabled?o. Do you have PIN enabled in your SIM card?
Please rate your self with 2 marks for each “YES” as answer to above 15 question and get your hygiene score.
- 30 – Perfect
- 25-30 – Good
- 15-25 – Needs Improvement
- <15 – All the best ( ^_^ )