Vulnerability management (Blue Team), Penetration testing (Red Team) are like two sides of a coin, one without the other is incomplete. News Flash: When it comes to security, incomplete equals “at risk”.
We see this duality in every industry where assurance is required. Such as in industrial design and testing. In the cyber world management must begin with assessing what the potential for damage to brand integrity will be should a breach occur. Loss of customer or public confidence? Loss of trade secrets? Leakage of Personally Identifiable Information? Once management embraces the danger a breach represents to their business, it is up to the cybersecurity professionals to design the defenses.
The Cyber Wolf
Protecting corporate assets from threats is not new. Sheepherders have been guarding their flocks for centuries. They designate an area for the sheep to graze. It is known the area must be free of visual obstructions and relatively safe for the sheep to roam. The underbrush is cleared and fences built. This is not unlike vulnerability management. They will usually have a sheep dog guarding the flock when they are not available. This is not like an intrusion detection and prevention system. They build a defensive architecture just like other sheepherding professionals around the world do. The standard operating procedures clearly work because the incidences of wolves taking sheep is low. Low, but it does happen.
What sheepherders do not is have a second dog play the part of the wolf. Imagine a dog attempting to penetrate their own individual defenses and “mock-seize” a sheep. This is why wolves still successfully prey on sheep. The sheepherder does not test their defenses. They do not perform rounds of continuous improvement based on actual penetration testing. They look at other sheepherders and emulate. They believe they have a good design, but they may not be aware of the flaws within their own unique environment until there is a victim.
The many different types of threat actors: the script kiddie, the ransomware virus, the nation state, industrial espionage or even the disgruntled employee. They all have a dizzying variety of arrows in their quivers. They tend to view their victims the same way wolves view the sheep. There is no moral dilemma for them. They are predators, they have the skills, the will and the opportunity to inflict harm on their prey. We hear about cyber incidents in the news almost daily. Static defenses are static targets. We are all up against determined, well-funded and well-armed adversaries. Not evaluating both sides of the coin has resulted in grim statistics. These statistics are in the wolf’s favor: Two=thirds of SMBs that are impacted by a major cyber event are out of business within 6 months.
Success has only emboldened the threat actors. While we remain firmly planted within our legal system, they remain out of reach of our justice representatives. Stop and take note: Due to a lack of strong law enforcement repercussions as a deterrent, we are on our own to defend our digital frontiers.
Read More: Cybersecurity Trends you Need to Know >>
Read More: 6 Questions to Ask a Potential Cyber Security Hire >>
Read More: 5 Recent Cyber Security Threats in 2018 >>
Read More: Download Our Cyber Security Self Assessment >>
Both Sides of the Coin
So how does evaluating both sides of the coin help protect you? Patch Management is a good, narrow, industry-based example to help demonstrate. If patches are not applied with rigor, i.e. vulnerabilities are not managed, weakness will most certainly exist. A vulnerability scanner will list missing patches which may allow for exploitation. Penetration testing confirms which of those missing patches will allow for exploitation.
Vulnerability Scanning First
Vulnerability scanning is part of risk assessment. In the cybersecurity industry, Risk assessment is a “Priority 1” task. Assessments (Blue Team) start with manual interrogation and inspection of the security posture of the target organization. If a new CISO brings in the Red Team Pen Testers (short for penetration) into an immature organization, trophies (tangible, relevant demonstrations of flaws discovered) are sure to be had. A long list of items to correct will be created. The underlying root causes that created the vulnerable position will almost not be addressed. In other words, if you start with the final phase – penetration testing, let me assure you, the reader right now, they will get in. The flaws and exploits of most organizations are numerous. The testing toolkits are powerful. If you’re goal is to scare yourself or your audience, start with pen testing. If your goal is to be as secure as possible, start with vulnerability management followed by pen testing.
In any organization, vulnerability scanning will create a defensible environment. This applies to whether mature companies or ones just coming to grips with the concept of cybersecurity. This defense is done using assessments of architecture, applications, policy, skills and training. This defense will be further tuned by the correcting the flaws uncovered by the second penetration testing or red team.
Vulnerability scanning and penetration testing are both part of the National Institute of Standards and Technology (NIST) recommendations. Read Special Publication 800-53 (Rev. 4) for Federal Information Systems and Organizations. Vulnerability scanning comes first in the family of controls. Followed later by penetration testing. As excerpted from the publication:
“RA-5 Vulnerability Scanning P1 (Priority 1) – Implement Security Controls First”
“CA-8 Penetration Testing P2 (Priority 2) – Implement P2 security controls after implementation of P1 controls.”
ROI on Cybersecurity
Two controls as intertwined as two sides of a coin. Each incomplete without the other. But the caption for the photograph for this article is “How much would you pay for a $3 coin?” $3? $300? $300,000? How do you gauge the actual worth, or realize ROI? True, the cost of not investing in cybersecurity can be summarized as “an ounce of prevention is worth a pound of cure”. Overpaying for the wrong cybersecurity defenses is like foolishly speculating an investment on a rare gold coin. It’s looks good and it’s nice to have, but was it worth it? In cybersecurity the wrong time to find out if your defenses weren’t worth the investment is after a breach.
We know which comes first and which follows and that one without the other will always be incomplete. And incomplete is unsecure.