The Importance of Security Testing
The cyber threat landscape is constantly changing. New vulnerabilities are being discovered almost daily. Threat actors are developing new tactics and techniques to exploit these vulnerabilities.
How can you protect yourself from an attack you don’t see coming? How can you improve your cyber security posture without knowing where or how you’re vulnerable? How can you determine the critical areas to focus on and strengthen? That’s where security testing comes in.
What is Security Testing?
Security testing is a broad term. In general, it is a process used to identify vulnerabilities in the defenses of an organization’s information systems. For our purposes, let’s boil it down to the combination of the following types of assessments: cybersecurity gap analysis, penetration testing, and vulnerability assessments.
Cybersecurity Gap Analysis
There are three main goals for a cybersecurity gap analysis:
1) Identify your current network defenses
2) Decide where you want them to be
3) Determine how to get there
A gap analysis is a very high-level form of security testing and is closely tied to the development of a cybersecurity roadmap, both of which are typically created and maintained by an organization’s CISO (Chief Information Security Officer). For these reasons, it makes sense to start the development of a cybersecurity program with a gap analysis. As Benjamin Franklin once said, “If you fail to plan, you plan to fail!”
Vulnerability Assessment
Vulnerability assessment is the process of identifying security flaws and risks based on security advisories and known security flaws. Automation is essential vulnerability assessment since new vulnerabilities, across thousands of applications, are released nearly every day. Ideally, proactive organizations will run automated vulnerability scans on a schedule to produce a report of all vulnerabilities discovered. This gives your security team a targeted list of security risks to test manually. That report can then be used to identify the most critical vulnerabilities which should be fixed with urgency.
Penetration Testing
Once the security risks identified during the vulnerability assessment have been addressed, it’s time to put those defenses to the test. During a “pen test” an ethical hacker will analyze and attack your network to ensure security fixes have been put in place and to test the organization’s ability to detect and respond to network attacks. A penetration test typically has 5 phases: Reconnaissance, Enumeration, Exploitation, Post-Exploitation, and Reporting. The real value of this type of security testing is to see how your network stands up against real-world attack techniques and to illustrate the business impact of an attacker exploiting any remaining vulnerabilities the organization hasn’t yet fixed.
How often should we be doing this?
In short, it depends. However, MHC recommends the following baseline:
• Annual gap analysis reviews
• Weekly external vulnerability scans
• Monthly internal vulnerability scans
• Annual penetration tests
Security Testing is an integral part of a good cybersecurity program and having a solid plan will help you in your mission to protect your information systems. This should be thought of as part of a continuous cycle to improve your network’s security. Because technology is always changing and hackers are constantly improving their attacks, it’s important to realize that cybersecurity is most definitely a marathon and not a sprint.
If you’re interested in learning more about how MHC can help your business establish an appropriate security testing program, reach out to us here.