A few months ago, I received a call from a CDW customer in the Midwest. The customer was in a rush and got right to the point of the call: “We need a penetration test.” When I asked for more details about the type of testing required, the reply was simple: “We just need a test done.”
I receive calls like this several times a month. Most clients know they need to demonstrate a level of security, but frequently they are not quite sure what they are paying for. Like buying a home for the first time, there is a lot of jargon to digest. Unless you have a working background in that industry, it will probably require some research to avoid making suboptimal choices.
In this case, a midsized manufacturing firm was working with the technology leadership at a new client as they performed their due diligence. The client wanted evidence that the manufacturer had strong security controls that had been independently tested. It follows best practice to have mutual security control expectations built into service-level agreements before introducing a partner into your organization’s supply chain. But what exactly does your partner mean by “white box penetration test” or “quarterly vulnerability scans”? Often a difference of terms and understanding can lead to an inconsistent application of security policies and practices.
At CDW, we tailor our security engagements to meet the actual needs of our clients. Not everyone requires a full review of the existing trust relationships on their internal network, but most want more than a vulnerability scan.
Vulnerability Scanning Vs. Penetration Testing
Any assessment of network security posture will involve vulnerability scanning. This frequently involves the use of automated security testing tools to quickly scan environments for readily identifiable issues. Depending on the degree of fine-tuning, vulnerability scans can provide a low-cost solution, but the value of the results largely depends on the ability to separate out false positives. Vulnerability scanning can address a breadth of threats, but may lack the depth and precision of a hands-on penetration test.
While some vulnerability scans may attempt to exploit some weaknesses in a system, the penetration test is an active attempt to subvert, breach or circumvent technical security controls (or the lack thereof). Penetration testing will traditionally include the use of vulnerability scanning to obtain an initial threat picture to work from. Attempting to exploit these vulnerabilities allows the engineer to verify the nature of an identified weakness and determine the degree of impact. Not only does penetration testing provide a sense of the actual security posture, but it can also provide clients a sense of their ability and readiness to respond to attacks.
CDW Security Assessments Offer the Best of All Worlds
At CDW, we take the process a step further — combining the breadth of the vulnerability assessment with the depth of the penetration test to provide a “security assessment.” As we gain access during penetration testing, we use it not only to access additional systems, but also to gather additional data to provide better analysis of an organization’s security stance. For example, a basic password audit conducted during a penetration test may identify service accounts with default passwords. A penetration tester might report that access to an organizational asset was achieved due to a weak password. CDW’s approach determines if poor password management is a systemic issue throughout the organization. Both responses point to a similar issue and mitigation, but the security assessment identifies the root of the problem and the most effective mitigation strategy.
When CDW conducts a security assessment, we work closely with the client to define the scope, logistics and rules of engagement to include an opportunity to speak to the engineers who will actually do the work. If we successfully penetrate our client’s defenses (we usually do), we provide a detailed account of how we accomplished that feat and discuss steps the client should take to remediate identified threats and improve security.
The Benefits of a Security Framework Gap Analysis
In contrast to CDW’s technical security assessments, sometimes the best solution might involve gap analysis using a security framework, such as the National Institute of Standards and Technology Cybersecurity Framework (NIST SP 800-53), or perhaps the International Organization for Standardization’s ISO 27000 series. While a technical security assessment can provide a snapshot of the current security posture, a gap analysis of the security framework provides a sense of organizational security strength and weakness based on policies, procedures, practices, controls and techniques. With this kind of objective assessment, our clients can build a roadmap from where their security controls are, to where they want to be. Combined with technical security assessments, an organization could prioritize where security dollars and time will yield the best results.
In the case of that manufacturing client, we both determined a security assessment of its public-facing infrastructure would satisfy the future client’s demand. A review of the manufacturer’s organizational security controls today would likely help them prepare for anticipated growth. That assessment is now complete, and the company has a three-year roadmap in place to build its next-generation security program.
This blog post brought to you by: