In cybersecurity, as regarded in the ISO/IEC 27001, Vulnerability Management is one of the key controls. Its goal is to reduce risks from exposure. To do that, we have some tactics at hand: Vulnerability Assessment and Penetration Testing, a.k.a. VAPT.
In this tutorial, we’ll see how they may work together to improve our overall security.
2. Key Concepts
First, let’s review some key concepts. A vulnerability is any possibility of being exposed to attack or harm. In other words, it is a weakness that may give threats the chance to compromise assets. It can have multiple origins: hardware, software, network, or procedural.
Once exploited, the attacker may gain the ability to compromise the confidentiality, integrity, and availability of the user’s data. So, Vulnerability Management is the process in which vulnerabilities should be identified, having their risks assessed.
3. Vulnerability Assessment
Vulnerability Assessment is a process to help identify, qualify, quantify and prioritize vulnerabilities. It’s a usual risk analysis assessment. The primary focus is on the identification and mitigation of risks we may face. The standard points these controls:
- Vulnerability identification or assessment: to timely review the flaws, fixing them before harm
- Prioritization: using classical risk analysis to assess the most critical to business and operations
- Treatment: actions to treat the risks, reducing their odds or their damage
In the security techniques, the ISO/IEC 27002 goes a little further. It lists some best practices in vulnerability management:
- Asset inventory: in order to reckon vulnerabilities, we must know the universe of assets. It must include, among others, vendor, software versions, deployment state, related assets, and custodians. We cross it against vulnerability advisories like NIST NVD (National Vulnerability Database) or the OWASP Top Ten. There are some tools to help with asset discovery and vulnerability assessment, like OpenVAS or Nessus,
- Roles and responsibilities must be clearly set
- Reaction and notification timelines, i.e. how events and weaknesses are shared
- Risk assessment: once exposure is found, assess its risks and take mitigation actions, following a defined change management process
4. Penetration Testing
As we saw, the Vulnerability Assessment is a non-intrusive systematic approach to finding known vulnerabilities in assets. On the other hand, Penetration Testing, or pen-testing, is a process of scanning for unknown vulnerabilities and assessing whether fixes for the known ones are working. By definition, it is an intrusive approach. It can even help to identify vulnerabilities before they turn into zero-day attacks.
In penetration testing, we do a goal-oriented exercise, in which we try to find exploitable flaws. Once we find it, we exploit it and move on to check its potential harm and outcomes. That way we can, by acting like a real-life attack, show the current state of our defenses and assess the likely damage in the case of an actual attack.
To ensure effectiveness, it is good to do a previous vulnerability assessment, so that the pen-test might focus on checking how our fixes and on finding new uncovered holes.
There are some pen-testings depending on their goals:
- Black box: the tester has as little information as possible
- Gray box: the tester receives some information about the internal network and security controls in place
- White or clear box: the tester has full access to information regarding the evaluated systems
Also, it can focus on specific sets of targets like network services, web applications, client-side services, social engineering, or physical access.
5. Red, Blue, and Purple Teams
Today, building up an information security team is really a challenge for many businesses. What was once a small group of broadly skilled professionals doing it all, now is a much tougher industry. Enterprises are forming teams focusing on regularly exercising specific parts of their security life-cycle:
For example, what was the incident management team, is now also known as the Blue Team. It is responsible for all incident handling and defensive measures, regardless of their origin. So, this team, beyond any real incident, also responds to incidents created by the Red Team’s actions.
Hence, the Red Team is the attacker. They are always pen-testing assets and reporting back their results to help improve defenses.
Finally, managing the attack and defense cycles is the goal of the Purple Team. It is going to gather reports from the other teams and provide them with feedback on how to improve.
As we saw, to effectively protect our business, we must create awareness about the risks we are prone to. Moreover, understanding the risks through vulnerability assessments and penetration testing is essential to assure the continuity and safe operation of our businesses.