SECURITY CHECK-IT: STEP 11
Vulnerability assessments & Pen Testing
As a company, you can implement all kinds of rules and precautions to be secure, but without concrete testing and regular checks your company will not be completely safe…It’s like studying and working all year without ever having to pass an exam. The last thing we want is a hacker to be our exam and break in by the one door we forgot to close.
That’s why we recommend to audit on a regular interval, at least once a year you should perform a vulnerability assessment.
The “vulnerability scanner” is a tool that the auditor will run in your environment. It will collect information from all network-connected devices and will run this by a global database of known security flaws. The auditor will then prepare an extensive report documenting all the flaws and a management report grouping issues together in groups ranking from very high to low risk.
Your IT Manager or Partner can use this document to set-up a remediation plan and budget. The goals should always be to tackle all pending issues at least before the next audit so things don’t pile up.
Depending on the type of business and the risks associated, this can be set up as a recurring service, where vulnerability scans are running on regular intervals. The results of the audits are processed continuously by the IT team, drastically reducing the time between the discovery of the leak and the resolution. Especially in highly regulated verticals where external audits are mandatory, these internal continuous runs make sure you always get a good grade on your report.
“Pen testing” is another type of test that regularly needs to happen. In this case, an ethical hacker gets your authorization to perform a real life cyberattack on your systems. He will use an array of tools to find and attack weaknesses in either firewall, software or human error and will effectively take control of the system. A Pen test can happen in either White Box mode, where you give all available information to the ethical hacker, or in Black Box mode, where the hacker gets no information and needs to do reconnaissance on his own.
The result of this test will give IT a clear view of where all the leaks are so they can close them. In general, we recommend starting with a vulnerability assessment before performing a pen test.
For those companies who are working with the UK; Vulnerability assessments are a mandatory part of Cyber Essentials, a government program to certify businesses who take their IT security seriously. Although these programs currently do not exist or apply in the EU, they remain a good standard to adhere to, especially if your company works internationally.