More and more frequently the terms ‘Vulnerability Assessment’, ‘Penetration Testing’ and ‘Red teaming’ are misused or misinterpreted.
The important thing is that the company knows what is hidden behind the term and when it should be used. Therefore, this blog will describe the various technical security audit possibilities and explain when each method should be used.
A vulnerability assessment should continuously identify as many vulnerabilities as possible in a short period to find and ‘fix’ simple security vulnerabilities as quickly as possible. Essential Eight is a valuable tool in this context.
A vulnerability assessment uses mostly automated procedures and generic scanners to detect security vulnerabilities in systems. These can be, for example, pending patches, weak passwords or a misconfiguration. These scans should be done periodically as the result of a one-time scan may be irrelevant after the next patch day. In the end, there should be a process of vulnerability management, which prioritises and documents the detected problems accordingly.
- Default Credentials
- Missing Patches
- Open Ports
- Missing Security Configurations
- Weak Cryptography
Find them and fix them!
In contrast to vulnerability assessments with automated procedures, penetration testing is primarily using manual techniques to detect more complex vulnerabilities that could not be detected by scanners. These can be both logic errors in the implementation of some software, as well as problems in organisational regulations of a company.
In addition, the vulnerabilities in a penetration test are validated and exploited to achieve a predefined target. This goal may be acquiring domain administrator rights or accessing an email from a specific user of the company.
- Cleartext Credentials on Client/Server [excel sheet on client]
- Discovering unknown Vulnerabilities
- SQL Injection
- Local Privilege Escalation (through misconfiguration or vulnerable software)
- Bypassing Security Measurements
- Bad Asset Management
These types of assessments use state-of-the-art attack and obfuscation techniques to penetrate a business and achieve a specific goal. At the same time, the “defence team”, the so-called BlueTeam, should detect the intrusion and react accordingly.
- Missing Logging on One or More Server/Clients
- Weak Log-Correlation
- Bad Detection Rate
- No Automated Notification
Of course, Red teaming is also about uncovering vulnerabilities in all levels of the goal, but training the BlueTeam is clearly the real key.
Which Method is Right for Your Company?
This cannot be answered on a flat-rate basis, as this depends on the Cyber posture of the business.
Security Level: Low to Medium
If security assessments have not yet been carried out, then only vulnerability scans should be used to determine how the security level basically looks, and to raise this to a satisfactory level.
Security Level: High
After a company performs vulnerability scans and closes the detected gaps, penetration testing can be used to uncover more complex gaps.
Security Level: High to Very High
If the company already uses aspects such as SOC, SIEM and BlueTeam in the company, then at this stage these elements should be trained and optimised through Red teaming assessments.
Co-founder & CEO, Edge IT Group