Understanding Information Security Services: Security Assessment, Vulnerability Scan, and Penetration Test
By: David Gatewood – November 2024
CEO ToriiGate Security Consulting, LLC
New cyber incidents are reported almost daily across media outlets worldwide. Many more go unnoticed or unreported for various reasons.
According to research from IBM in 2022 (http://www.IBM.com/reports/Data-breach), the average cost of a data breach in healthcare is $10.1M, with the possibility of additional General Data Protection Regulation (GDPR) fines up to 4% of the companies worldwide revenue from the previous year. GDPR is a Regulation in EU law on data protection and privacy.
According to the FBI’s Internet Crime Report 2023 covering 2022 (https://www.aha.org/cybersecurity-government-intelligence-reports/2024-03-11-federal-bureau-investigation-internet-crime-report-2023):
800,944 complaints reported to the FBI’s Internet Crime Complaint Center (IC3) with losses exceeding $10.3 billion.
Phishing schemes were the most reported crime type with 300,497 complaints.
Investment fraud resulted in the highest financial loss at $3.3 billion, a 127% increase from the previous year.
Cryptocurrency investment fraud rose from $907 million in 2021 to $2.57 billion in 2022.
For 2022, the Internet Crime Compliant Center Statistics released in 2023 show (https://www.fbi.gov/contact-us/field-offices/springfield/news/internet-crime-complaint-center-releases-2022-statistics):
880,418 complaints registered with IC3, with potential losses exceeding $12.5 billion.
Investment fraud losses increased to $4.57 billion, a 38% increases from 2022.
Business email compromise (BEC) scams resulted in $2.9 billion in reported losses.
Ransomware incidents increased by 18% from 2022, with reported losses rising from $34.4 million to $ 59.6 million.
According to PURPLESEC (https://purplesec.us/resources/cyber-security-statistics/):
Small and medium-sized businesses (SMBs) are targeted in over 50% of all cyber attacks.
The average cost of a data breach for small businesses ranges from $120,000 to $1.24 million.
It is estimated that, worldwide, cybercrimes will cost $10.5 trillion annually by 2025.
Enterprises experienced 130 security breaches per year, per organization, on average.
Introduction
In today's digital landscape, the need for robust information and cybersecurity measures within businesses is more critical than ever. This article aims to demystify three crucial security services: Security Assessment, Vulnerability Scan, and Penetration Test. These terms are often misunderstood and incorrectly used interchangeably.
Misconceptions and Realities
Having spent over twenty-five years in the information security industry, I've noticed persistent misconceptions, especially among non-security professionals. A prevalent myth is that a penetration test involves merely pressing a button and waiting for an automated report. However, this is far from the truth. Often, what clients truly seek is a security assessment or a high-level review of system settings within a planned deployment environment.
The Triad of Security Services
Security Assessment
A Security Assessment is a high-level review of available security settings for various elements including networks, servers, cloud environments, printers, applications, and IoT devices. It is conducted by a security team or architect, comparing these settings against the company’s security policies. Where company policies may be lacking, the reviewer may reference among others in the United States; the National Institute of Standards and Technology (NIST – nist.gov), the Open Web Application Security Project (OWASP – owasp.org), and the Cybersecurity and Infrastructure Security Agency (CISA – cisa.gov). This assessment is best performed during the design phase, prior to deployment, and should not be confused with a vulnerability assessment.
Vulnerability Scan
A Vulnerability Scan is typically conducted via automated tools to identify potential security vulnerabilities in production-ready systems and applications. These tools must be regularly updated to detect emerging threats. While useful, they can generate false positives, as they may not consider mitigating controls or layered security measures. The analogy of shining a flashlight into a dark area to check for a padlock without verifying if it is actually locked aptly describes the limitation of these scans. To enhance security posture, it is recommended to integrate automated security vulnerability scans into regular monitoring. This practice will ensure that alerts are promptly triggered if there are any changes in configurations or if new systems are introduced with missing settings or patches, thereby mitigating potential risks.
Penetration Test
A Penetration Test goes beyond identifying vulnerabilities; it involves simulating real-world attack scenarios to validate and exploit vulnerabilities. This process requires skilled security professionals who continually update their knowledge and techniques to mimic potential adversaries (criminals). Unlike automated tools, penetration testers tailor their methods to the specific environment and provide detailed recommendations to mitigate identified risks.
Challenges and Considerations
Despite the increasing awareness of cybersecurity, security services often remain an afterthought, contacted out of necessity rather than proactive planning. This reactive approach can hinder project timelines and diminish the perceived value of security. Additionally, any testing, such as vulnerability scans or penetration tests, must have explicit authorization from the entity in charge of the target to avoid legal repercussions according to the Computer Fraud and Abuse Act in the United States.
Conclusion
Understanding the distinct purposes and processes of Security Assessments, Vulnerability Scans, and Penetration Tests is crucial for effectively safeguarding your business. Each service plays a unique role in a comprehensive security strategy, contributing to layered defenses that adapt to evolving threats. Clear communication and precise scoping of these services ensure that businesses receive the most value from their security investments.