Published 5 September 2018

Bug Hunting: Find security flaws before the bad guys do

As digitalization continues to sweep through established industries, companies are increasingly operating massive IT systems, which may consist of thousands of connected devices and thousands more dependencies on third-party software and applications. This leaves medium and large corporations with an extremely complex array of vulnerabilities to cyberattacks. Gone are the days when corporations could just keep their antivirus software updated and assume they would be protected from threats—nowadays, it is essential that corporations contract cybersecurity experts to map out and secure the ever-changing vulnerabilities of their computing systems.

This is where penetration testing and vulnerability assessment come in, both of which are techniques cybersecurity professionals use to find potential flaws in a security system and recommend ways to patch them. In this explainer, we are going to help clarify the difference between these two techniques and discuss why both of them are vital to maintaining high cybersecurity standards.

Penetration testing vs. vulnerability assessment

The difference between penetration testing and vulnerability assessment boils down to one key point: penetration testing is a human-led investigation, while vulnerability assessment is an automated scan.

A penetration test (or “pentest”) is effectively a friendly attack on a company’s IT system. A contracted cybersecurity professional will attempt to break into the system using the same methods that a malicious hacker would employ. These could include exploiting unsecured or unpatched devices on the network, flaws in third-party software or human errors in the configuration of the existing security system. A thorough pentest will include not just hacking, but also social engineering, trying to trick employees or third parties into opening up vulnerabilities in the network, by, for example, revealing their passwords to a scammer or downloading a piece of malware. A more comprehensive extension to pentesting, known as red teaming, involves a team of external cybersecurity contractors, the “red team”, simulating a large-scale targeted attack on an organisation. Red teaming may involve hacking, social engineering and possibly even physical infiltration of a corporation. This form of security audit is most useful for large enterprises, especially those that have their own cybersecurity staff to act as the “blue team,” defending against the simulated attack in real time.

Following a penetration test, the pentester will provide a report to the company, detailing both technical and business solutions to security vulnerabilities. Tech fixes might include updating certain devices or fixing errors in databases, while business solutions are choices like providing employees with security training or re-evaluating dependencies on less secure third-parties.

A vulnerability assessment, on the other hand, is an automated scan of a whole network. Rather than using human ingenuity to try and find new ways in, a vulnerability assessment performs a comprehensive scan of the network and provides a list of all the known vulnerabilities detected. This allows a company to systematically resolve the known technical flaws in their network.

These two techniques are very different, but they are all-too-often mixed up, not least because some contractors advertise penetration testing while only providing an automated scan. A thorough pentest is always a human-led exercise, and often takes at least a week. Penetration testing is essential in uncovering zero-day vulnerabilities, which are vulnerabilities in a system that have not previously been found. Uncovering of zero-day vulnerabilities by pentesters before they are found by malicious hackers is essential in preventing the most devastating cyberattacks.

The gold standard of security audits uses a combination of both of these techniques, in a process known as vulnerability assessment and penetration testing (VAPT). This is a human-directed audit which uses targeted penetration tests and automated scans in order to maximise both the breadth and depth of a security audit. Often, an experienced pentester will deploy specialized scanning tools and software that they have developed themselves in order to seek out flaws throughout a network. Effective human oversight of vulnerability assessment can help companies prioritise their responses to vulnerabilities, and avoid wasting time on false positives, vulnerabilities which are highlighted by a scan, but which have already been addressed by other means that the scan does not detect.

How do you find your flaws?

Regular VAPT is crucial for companies to protect their IT system from attacks and ensure their compliance with new data regulation laws such as the EU’s General Data Protection Regulation (GDPR). VAPT not only helps companies keep their security systems patched and working properly, it also identifies gaps in business logic that can impair companies’ ability to manage future threats. Do you know if any of your third-party suppliers have changed hands recently? How do they protect the data they hold, and how much of your data do they have access to? Thorough VAPT will answer these questions. Understanding the complex tendrils of your IT system is also essential for compliance with GDPR, which applies to any company working with clients in the European Union. GDPR requires that companies map out exactly how their client data is secured, and who it is shared with, and have a plan in place to detect any data breaches and notify authorities when one occurs. The penalties for noncompliance with GDPR can be steep, with fines of up to €20 million or 4% of annual turnover, whichever is highest. VAPT helps companies gain a better understanding of their IT system and its dependencies and implement both technical and business solutions to ensure regulatory compliance and safeguard against future attacks.

– Jonathan Sharrock, Cyber Citadel.