In recognition of National Cybersecurity Awareness Month, Weaver is sharing our Cyber Fundamentals series. Throughout the month of October, we’ll be sharing content that will give you a basic understanding of cybersecurity and the key information you need to be aware, prepared and protected. This is the third post in the series.
If you’re wandering in a wilderness of cyber threats, it’s helpful to have a few signposts warning you of traps and pointing out the safe routes. But what if the signs are in a language you don’t understand?
IT security assessments are a critical element to protecting your organization from cyber threats. To get the kind of assessment your organization needs, though, you must first understand the different kinds of assessments. These are some of the most important concepts and terms to help you on your journey to effective IT security.
First, what is an IT security assessment?
“IT security assessment” is a broad term that encompasses IT security audits, risk assessments, vulnerability scans and penetration tests that deploy ethical (“white hat”) hacking efforts. The scope could be broad or very narrow; focused on a specific threat or intended to determine your compliance with a particular IT framework or standard.
Many industries have specific standards for IT security. These are just a few:
- International: ISO (International Organization for Standardization) 27001/27002
- U.S. federal: NIST (National Institute of Standards and Technology) 800-53: Security and Privacy Controls for Federal Information Systems and Organizations
- Credit and other payment cards: PCI DSS (Payment Card Industry Data Security Standard)
- Banking: GLBA (Gramm-Leach-Bliley Act) and FFIEC Cybersecurity Assessment Tool
- Health care: HIPAA (Health Insurance Portability and Accountability Act)
IT security assessment procedures can be applied to internal network services, wireless networks and web or cloud-based applications.
What is a vulnerability scan or a vulnerability assessment? Is that the same thing as an IT assessment?
A vulnerability scan is often part of an IT assessment. Like a burglar casing a joint, the vulnerability scan looks for weaknesses in a system, for potential points of entry. It’s most often performed by an automated tool, from inside or outside the organization, or both.
External scans are useful for identifying weak points in the system’s outward-facing defenses, but they can’t tell you about systems vulnerable to an attacker who has already gained access to the internal network. An internal vulnerability scan uses administrative IT credentials to probe for weaknesses in internal devices, systems and databases. It must be performed using an internal connection.
If you are hiring someone to assess your systems’ vulnerability, pay attention to the language: a scan is just that — the act of scanning and the data output produced by the automated tool. An assessment involves taking that data and interpreting it, categorizing results and prioritizing risks to make the information more relevant. Both services have their place, but if your organization wants help interpreting the scan results, be sure you’re getting a vulnerability assessment.
How is a penetration test different from a vulnerability scan?
If a vulnerability scan is the equivalent of a burglar casing a house to identify entry points, then a penetration test is like a burglar actually attempting a break-in. Penetration testing relies upon ethical hacking, or “white hat hacker” techniques, which attempt to obtain unauthorized IT access by deploying the same tactics that bad actors – hackers – would use.
A penetration test usually has a narrower scope than a vulnerability scan, and it should focus on the systems and data requiring the highest levels of protection. Most “pen tests” are performed from outside the system, trying to access and exploit a weakness. Once inside, the tester will attempt to pivot to other devices or systems. Knowing how the tester got into a system enables the organization to take steps blocking that entry point or weakness.
How would we check for human vulnerabilities?
Human behavior is a major weakness in all systems, and a good cybersecurity plan involves lots of training and education. To see how canny your employees are, you can deploy “social engineering tests,” which include any tactic that attempts to trick people into sharing confidential information. Social engineering usually involves phishing emails and/or phone calls, but could also involve in-person tricks such as trying to walk past a receptionist without being questioned, or leaving a USB labeled “Confidential: Payroll Information” lying around to see if anyone picks it up and plugs it into a computer, simulating the transference of malware via removable media.
What kind of IT security assessment do we need?
That’s always the big question, and the answer is always “it depends.” Such variability is what makes it so important to understand the differences among different security assessment terms. If you need a vulnerability scan in order to comply with a particular standard, but instead get a penetration test, nobody wins — neither the frustrated vendor who performed the penetration test nor the organization that paid for a service that didn’t fill their compliance needs.
If you are beginning to plan an assessment or seek bids from third parties for security assessment services, make sure everyone understands exactly what is needed and what is being provided. Your organization should begin by identifying its most crucial risks, the maturity of your existing security processes, and which regulations you must comply with. Only then can you find your organization’s safest path around the hazards as you try to protect your systems.