Common Security Assessment Questions

Penetration tests and network vulnerability assessments are essential components to a company's information security playbook.

Below are frequent questions we receive regarding vulnerability assessments and penetration tests and why they are important.

Why should I run a vulnerability assessment or pen test on my network?

It’s all about visibility into the unknown.  Good patch management only addresses the issues that are known.  Performing vulnerability assessments and/ or penetration tests allow for the discovery and correction of issues that might otherwise remain undetected.

Where should we start: a vulnerability assessment or a penetration test?

A vulnerability assessment scans the network using various tools and checks for possible vulnerabilities on the hosts, network and applications. The penetration test takes the process one step further and tries to exploit the vulnerabilities found in the scanning phase to compromise a host and extract passwords and files. From here, the scanner can go deeper into the network and possibly scan for additional targets. Penetration tests should be considered when the environment is already thought to be in a good state.  Otherwise, many compliance requirements include a penetration test. 

Will the vulnerability scanning bring down my network?

While there is risk to performing a vulnerability assessment, the likelihood of affecting production applications is low.

We have an intrusion detection/prevention system (IDS, IPS). What effect will this have on the testing for network vulnerability assessment?

Testing should light up an IDS like a Christmas tree!  This is a good opportunity to test IDS systems for effectiveness.

For a vulnerability assessment, if the device is an IPS, the scanner will recommend that the IP addresses are whitelisted. The IPS will drop or block packets coming from the scanner. While this may seem like a smart idea, the scanner may not be able to determine flaws on your hosts that may be there. If you utilize IDS, it may generate a steady flow of alerts.

For penetration testing, it is recommended to let the IPS block malicious traffic because this shows your network is secure. If an IDS is used, similar to the vulnerability assessment, it may generate a large amount of alerts.

What industry credentials do testers typically have?

Industry experience is the most valuable indication of qualification.  Common industry credentials include ISC2’s CISSP and ISACA’s CISM or CISM.

Should we do a scan or continuous monitoring?

A scan is a snapshot view of vulnerabilities existing in the company’s environment. They only tell you what happened in that moment, not what happened before or after the scan. The more an organization scans, the more accurate the metrics are.    

Continuous monitoring, on the other hand, will keep the security team constantly aware of newly detected weaknesses, vulnerabilities and flaws.

Both scanning and continuous monitoring are valuable.  Vulnerability Management programs should be tailored to the risk. 

How often will my network need to be reassessed?

Apart from regular testing, retests should be performed after material changes to the environment, such as new server deployments, major upgrades to applications, changes to network architecture, etc.

How long do network vulnerability assessments take?

This is dependent on network size and complexity.  The best approach is to establish baselines and develop a strategy that makes sense.  Consider what the reporting requirements are as well.

What tools are typically used for vulnerability assessments and penetration tests?

Network tools can include port scanners, vulnerability scanners, application-level assessment tools, etc.

We're here to answer any questions you have! Contact us.