By Chris Reid, Cybersecurity Strategist
Which one is right for you? Let’s take a look at each one, where it fits, and when you should have one performed. First, there are A LOT of different types of testing, and they all have their benefits and different results. It really is worth taking a look at what kind of information you want to get out of it for your organization.
Let’s start with penetration testing, as that is the one that is thrown out the most. A penetration test, by definition from the National Institute of Standards and Technology (NIST), is “a test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.” This is just one of the many definitions, but for the sake of this post, we will go with this one. There are multiple types of penetration tests, so take a look at the list below.
This is a type of test where the assessor has extremely limited knowledge of the organization they are going to attack. This will be similar to most of the “real world” examples of an attack.
This is where the assessor has been given either credentials or some information that will easily let the assessor into the organization. These are typically used to assess how the organization’s defenses respond to an attack if the attacker has been performing reconnaissance on the organization.
On top of this, we must determine if we want the assessor to be on the outside looking in or if we want to have the assessor on the inside attempting to see how far into the network they can get.
Both options are great for finding vulnerable systems as the assessor uses tactics and tools that we typically wouldn’t use on a day-to-day basis. A lot of organizations will use these to fine-tune what they already have in place and then test again after those refinements have been put in place. A penetration test should NOT be used to figure out what you need to implement going forward.
Maturity Assessment, Risk Assessment, and Gap Analysis
Next, let’s talk about the Maturity Assessment, Risk Assessment, and Gap Analysis. The funny thing is that they are all pretty much the same thing, but each provider will have a different spin on what they offer with it. Every single one is there to determine the maturity of your security program, and they will provide great insight into the level of risk and gaps in your risk management program. There are, of course, several types of assessments that look at the different areas of compliance you need to adhere to or that focus on risk from one specific area or business unit.
Additionally, you have to take into account which type of framework you want to look at. With NIST alone, you must determine which type of framework fits your organization. For example, are you a for-profit company that doesn’t do anything with government contracts? If so, you probably fall into the 800-53 framework. Are you a DoD contractor? Then, you probably have to look at 800-171. We love helping organizations figure this out if they do not already know and cater their assessment to fit their specific needs and requirements.
When looking at a NIST assessment, we look at 108 different controls and then use all of that data to determine what gaps you have in your risk management program. If we are talking about CIS Assessments, there are 153 different safeguards to also identify your gaps. This provides an in-depth view of both what you DO have and what you DO NOT have, as well as what areas of risk you are ok with having and what areas you do not want any risk in. It can quickly get very extensive and complex.
This is where things can be really fun. After your assessment, you will be given a stack of papers that essentially details all kinds of charts, dashboards, and fancy colors, and it can be highly informative but also confusing at the same time. We like to bring a proprietary tool into the mix which provides an easy-to-consume dashboard that specifically lists out what you need to work on. This gives you an easy-to-use solution to know what you need to work on in the months and years to come. Using one of these assessments should be a good view of what tools and policies and procedures you need to implement down the road. It should NOT be used to determine the level of security of your current security solutions.
“Chris Reid has over a decade of experience working with and for Information Security service providers. He has worked with businesses of all sizes and verticals, architecting security programs for all of them. He is a dedicated strategic advisor to his clients and takes pride in knowing they are seeing value in not only the services he recommends but also the products he supports.”Chris ReidCybersecurity Strategist