It’s easy to think about network security as an entirely reactive practice. When a new threat arises, typical responses are to install patches or change configurations, or even to upgrade your protection with a new security provider or vendor. There’s a lot of proactive work that can be done to make sure that you have the best security possible, to help prioritize your security needs, and to get an accurate, practical assessment of where your devices and configurations really stand right now. Today, we’ll take a close look at vulnerability scanning and penetration testing, two techniques for clarifying how secure your network is right now.
What Is a Vulnerability?
Virtually all software can have vulnerabilities. At its most fundamental level, software is just something that runs on your computer. Typically, we want a program to do a specific, desirable thing, and this means that it needs to run or execute commands. It does this behind the scenes, usually in a programing language, making changes to files as it does what we want it to. Because any program has this power-to use the operating system and/or the processor-we always want for the program to be run by the right user and for the right reason.
Vulnerabilities are potential lapses in this principle; if an unauthorized user or threat actor can run the program, or if the program’s functions can be used to do something unwanted, then there is a vulnerability in the program. For well-known software, these vulnerabilities are published and listed as CVEs (Common Vulnerabilities and Exposures), among other programs for disclosing software problems.
When a vulnerability is known to only attackers, it might be called a zero-day vulnerability or a novel attack, but when researchers understand that there is a vulnerability, they’ll publish it as a CVE. This lets software makers know that there’s a problem to fix or mitigate and lets maintainers, service providers, and users know that there’s a vulnerability in the software that will need fixing or mitigating-with the help of a patch from the software maker, or by changing how the software is protected to mitigate any risks that the vulnerability poses.
Exploitation of these vulnerabilities is a markedly different kind of security risk than email compromise or attacks based on authentication or social engineering. This is because vulnerabilities are structural problems. A vulnerability in a router or firewall, for example, can be attacked by anyone from the internet, so it doesn’t require gaining trust or tricking someone-it can happen entirely remotely and without fault of a user, but only the determination of an attacker to find and exploit the vulnerability or misconfiguration. The attacks that can result are some of the most devastating, such as advanced persistent threats: when an attacker can live in your network indefinitely if they cover their tracks well enough.
Scanning Your Network for Vulnerabilities
The practice of looking at all of your IT resources and configurations to determine if there are CVEs or other vulnerabilities is called vulnerability scanning. It works similarly to malware scanning (classic antivirus techniques), where it looks specifically for issues that are known to the cybersecurity community to be vulnerabilities. This scanning is different from technologies like SIEM because it looks structurally at your network and its software, instead of monitoring what’s happening right now. The two are complimentary, since SIEM shows how the network and devices are being used, where vulnerability scans show how well defenses are constructed.
One of the things that this scan would do, for example, is get the version of software that’s running on your router and refer to a vulnerability database to enumerate some of the issues that the software may have. If there are known issues with the software, then there should be a record of recommendations for safe use of the product, or at the very least a warning that you should replace the device. Most vulnerability scans also look for misconfiguration, reporting on which ports may be exposed on your firewall, for example, or noting that a better method of accessing the network may be available.
The report that comes from a vulnerability scan can be used to prioritize and plan how to better secure your network and devices. If a misconfiguration is identified, then the risks that it poses can be prioritized according to best practices, and a project can be created to fix the misconfiguration. On the other hand, misconfigurations are often a sign that there was a need for a more creative configuration, so what might be reported as a misconfiguration could point to a better way of configuring a system that is using a workaround or shortcut.
Penetration Testing: Practical, Proactive Security
While vulnerability scans look for known vulnerabilities and misconfiguration, penetration testing (sometime called “pen testing”) is a security analysis is performed by having your security team use the same tools and techniques as threat actors. Instead of leveraging cybersecurity knowledge about known issues, pen testing leverages real-world malicious techniques to see if your systems can block intruders from unwanted access.
In the cybersecurity world, this is sometimes known as “red team” activities, where defending against threat actors is called “blue team.” Red-team, offensive activities are variously thought of as sensitive, taboo, or super cool in the industry, because employing them requires familiarity with all of the unethical and illegal techniques that are used by criminal organizations and state-sponsored threat actors. Penetration testing, in other words, is the cybersecurity equivalent of undercover law enforcement practices or espionage.
Employing pen testing is a vital part of defending your organization, since it engages on the most practical level of security and provides the most real-world insights into your security posture. While it could be considered a simulated attack, it provides your IT team with the ability to see how their security would stack up against a capable, determined intruder. Because it is only simulated in the sense that your data won’t find its way to the black market, or that your security team won’t delete all of your files, all of the technical controls that are in place to protect your data undergo actual subversion and attempted break ins during the test.
Regular Scanning and Testing Improves Your Incident Response Performance
One of the key components of having a regular scanning and testing plan is that it sharpens your incident response team’s ability to respond. Ideally, any security incidents will be stopped during a security event; many of the tools that analyze what’s happening on your network and devices will have automatic remediation (and healing) for blocking malware or attacks. Because every organization has different devices, software, and networks, it’s important for an organization to know that their software, hardware, and security providers can work together to provide best-in-class security incident response. It’s for this reason that you’ll find regular testing and scanning on cyber insurance questionnaires and in cybersecurity regulations.
By testing and scanning regularly, you can get a more hands-on understanding of how your policies and plans are performing, or what needs to be more highly prioritized in achieving cybersecurity maturity. Having a detailed, expert-level look at what can happen with your networks and devices if someone is motivated to attack them is a key component of security planning, and ultimately, the best way to analyze how much to invest in securing your proprietary and confidential data.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team