Posted on September 15, 2014 by ashley
Bobby Methvien, Information Security Analyst and Security Services Manager
The largest threats to complex networks are those unknown to IT personnel. As a first line of defense against system and security-related vulnerabilities and as part of an organization’s on-going vulnerability management program, IT must conduct assessments of its information systems. The goal of a vulnerability management program is to reduce risk within an organization by identifying and resolving vulnerabilities to your IT systems and internal/external network.
Bring IT System Vulnerabilities into View
Vulnerability scanners are a tool that IT personnel use to scan many remote systems using thousands of vulnerability signatures in a short period of time. Results of a scan enable IT to coordinate a resolution for any vulnerabilities identified. Over time, as IT resolves identified vulnerabilities, only a handful of new vulnerabilities will be identified with additional scans. This is the point where IT personnel become confident in the security of the network and need to put it to the test.
Pen Test Your Internal and External Network
Once IT personnel have significantly reduced the number of vulnerabilities identified through scans, a penetration test should be performed. The penetration test acts as an additional control and is used to identify system and security-related risk that affect an organization’s internal and external network. Penetration tests work to compromise an organization’s host, web application, the network, or sensitive data.
Penetration tests have short and long-term benefits. In the short term, organizations are able to take action against findings in the assessment, and over the long term, organizations are able to update their processes so that similar risk do not reoccur.
Penetration tests should be performed by someone who is not responsible for the daily management of the network and its information systems. The reason is due to one’s understanding or explanation behind why a system or group of systems were configured a particular way. We often hear IT personnel say, “I was told it has to be this way so that’s the way I configured it.” One common example is, “Our software vendor requires that we configure all users as “Local System Administrator.” As a result, IT personnel will make a key information security mistake and assign the “Domain Users” group to the “Local System Administrators” group.
Vulnerability scanning and penetration tests are both services used to identify risks that may affect an organization’s information systems from its internal and external network. In addition, these services help organizations meet compliance regulations from authorities such as FFIEC, PCI-DSS, and other regulatory authorities.