Intelligent Tech Channels Issue 44 - Page 39

three basic criteria – the goal of the service , its scope and methodology .
What ’ s out there ?
Vulnerability assessment ( VA ): The most common service of the three , is an automated or semi-automated approach to the identification of security issues . Its goal is to discover as many publiclyknown vulnerabilities as possible among a strictly defined set of systems , ideally minimising false positive results . The methodology is quite simple , and boils down to pattern matching data received from a network service against a database of known security issues . Such a straightforward approach allows for a great level of automation , thus gaining the advantage of
From our experience , customers often get confused between three types of services – vulnerability assessment , penetration testing and red teaming . speed and repeatability . Disadvantages on the other hand are quite obvious too : in the end , all you get from a VA is a list of existing well-known vulnerabilities .
We ’ re not stating that VA is not the right service for you ; it is a crucial part of the vulnerability management program in any security-mature organisation , alongside asset inventory and change management processes .
Keep in mind that VA has nothing to do with any kind of simulation of adversarial behaviour . So , if a service provider you ’ ve enlisted for penetration testing or red teaming engagement mostly relies on an automated vulnerability scanning solution in the course of their work – they are not doing it right .
Now with vulnerability assessment addressed , let ’ s take a closer look at penetration testing before digging into red teaming .
As the name implies , penetration testing ( pentest ) aims to demonstrate how a security boundary could be breached , allowing a threat actor to get from point A to point B inside an organisation ’ s network . Unlike a vulnerability assessment , pentest goes beyond