Are you getting what you’re paying for?
In the ever changing landscape of the cybersecurity world, too often you get lost in the all the technical jargon. Compound that with a sales force that focuses on buzz words and key phrases to get themselves in front of a customer without fully understanding what those words and phrases actually mean. Let’s delve into how to keep you from getting taken for a ride by some smooth talking snake oil salesman and help you differentiate the between the two so you find and acquire the services you need.
It Is Important to Know What Words Mean
Just as executives and lawyers pour over contract wording to fully understand what they are agreeing to, we must do the same when acquiring services in the cybersecurity realm. Too often, I see and hear the misrepresentation of service offerings. Clients are told they are engaging a service provider to perform a penetration test (pentest), and when they get the report from that engagement, they learn a vulnerability assessment was performed.
What’s the difference?
Let’s start with basic definitions:
Penetration Test: A test methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of a system. (as defined by the National Institute of Standards and Technology, NIST)
Vulnerability Assessment: Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation. (as defined by the National Institute of Standards and Technology, NIST)
Translation: A penetration tester will actively attempt to break into your systems by bypassing your security measures, and they’ll tell you, in detail, how they did it in their reports. If they don’t they didn’t perform a penetration test.
How to keep from getting taken advantage of…
You’ll know when you’re dealing with true penetration testers by the process and information offered in the sales process and determine the scope and parameters of the test.
When discussing a penetration test with a potential service provider you should look at the qualifications and certifications of the testing team (e.g. PNPT, Pentest+, and OSCP), and as always, make sure you read the fine print on the service offerings. Ask for a sample report and see what information is shared. You want to look for Tactic, Technique, and Procedure details.
They’ve done well till this part if you’re discussing a project or testing scope. Penetration test planning and preparation is a very granular process. Anything that is not clearly defined is automatically considered “Out of Scope” for that engagement. Some questions to look for: What systems are going to be tested? What tools are the pentesters allowed to use? What kind of attacks and attack vectors are to be used or avoided? When will the engagement begin? When will it end? During what hours will the testing take place? What kind of test will this be?
Does a vulnerability assessment give the same information?
The answer to this question is “sometimes.” Vulnerability Assessments are just as important as Pentests. Continuously monitoring for potential threats and vulnerabilities will assist in keeping your environment secure. The difference is that the findings of the vulnerability assessment will have to be further validated.
While this is not an exhaustive look into the differences between Penetration Tests and Vulnerability Assessments, I hope this has given you all a better understanding of the two.
Leave a Reply