Scanning for and identifying security risk is an integral part of any company’s security charter. But before you can identify the risks to your company, you need to identify what technology and services your company uses. Having an asset or service inventory enables your security team to identify what needs to be scanned or penetration tested.
First, consider some basic questions:
- Is my company running in a public cloud environment (e.g., AWS, GCP)?
- What vendor or open source products and software do we use?
- What operating systems are we using?
Once these questions (and many more) are answered you can pick the right tools for the job!
Vulnerability scanning
Vulnerability scanners are tools that aid in identifying vulnerabilities in components such as applications, infrastructure, and networks through automated scans. Each asset is scanned for any possible vulnerabilities, such as using a component that has an associated CVE, an unintended file being exposed on the internet, or using default credentials. Some scanners enable the user to configure a set of rules which help set the boundary and type of scan being performed.
There are two primary methods for conducting scans: credentialed scans and non-credentialed scans.
Credentialed scans
Credentialed scans involve comprehensive scanning within the environment. In this approach, the scanning tools are granted privileged access via a service account or an agent installed on the asset to explore the environment for vulnerabilities. By conducting a thorough examination of the assets, credentialed scans can uncover weak configurations and vulnerabilities.
Non-credentialed scans
On the other hand, non-credentialed scans don’t require any credentials to access the asset being scanned. Compared to credentialed scans, non-credentialed scans provide less detailed findings as the scanner lacks a comprehensive view of the environment. These scans are typically utilized by penetration testers, researchers, and attackers to gain an understanding of the external risks posed by the asset.
By using credentialed and non-credentialed scans, organizations can gain valuable insights into the vulnerabilities present within their environments, allowing them to make informed decisions to enhance security measures.
While the results of a vulnerability scan offer useful information and provide the high-level security posture of the system, a penetration test includes a thorough analysis of the security risks posed in the environment.
Penetration testing
Another effective approach to identifying vulnerabilities in the environment is performing a penetration test (pen test). In this process, a security engineer performs an attack against the system to discover the vulnerability and potential exploits. To create a realistic cyber attack scenario, the pen tester may even simulate the tactics, techniques, and procedures (TTPs) employed by actual adversaries.
Companies often hire someone externally to perform pen testing. You can achieve the most valuable results when someone unfamiliar with the environment conducts the pen test.
This is also known as the external pen test. But, there are more companies nowadays that have their own offensive security teams to perform an internal pen test. Both internal and external pen tests are extremely useful as their two use cases cover an attacker inside and outside the network, respectively.
Here are the seven main steps of a pen test:
- Pre-engagement
- Reconnaissance or open source intelligence (OSINT) gathering
- Scanning or discovery
- Vulnerability assessment (gaining access)
- Exploitation (maintaining access)
- Post-exploitation, reporting, and risk analysis
- Remediation
The pen test generates a report once completed. This includes all of the found vulnerabilities along with their risk assessment and remediation details. Organizations can address the issues and bolster their security in the environment.
Prioritization of findings
Once you identify what vulnerabilities are present in your environment through automated scanning and pen testing, the next step is to remediate the vulnerability to reduce your company’s risk profile. You might be thinking, “I have a list of thousands of vulnerabilities, how could I possibly prioritize all of them?”. Good news is, you don’t have to! While you could focus on what the tools say the severity of the vulnerability is, it‘s more effective to prioritize based on the vulnerability’s impact to your business. This requires identifying what services, environments, and products are most critical to your business: Is this service or product customer-facing? Does it contain customer data? Will it cause significant revenue loss if there’s downtime?
Combining the business impact with the vulnerability’s severity can create a prioritized list of vulnerabilities. You can remediate starting with the most critical vulnerability and services, turning that list of thousands into hundreds or even less!