Raise your hand if you have ever heard of either the Payment Card Industry (PCI) Data Security Standard (DSS), the National Institute for Standards and Technology (NIST) Cyber Security Framework (CSF), the NIST 800 series of special publications (SP) specifically 800-53 and 800-171, ISO 27001:2013, the European Union (EU) General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), or any of the slew of other regulations and standards developed to ‘help’ your organization secure (i.e. protect the Confidentiality, Integrity, and Availability) the information you possess and the information systems that house it.
If you did not raise your hand, you are probably reading this in your office and you don’t want to be that person who, for no apparent reason, is raising their hand. But if you really have never heard of these regulations and standards then the information in this blog may serve you better than a sleeping pill.
Data (membership, demographic, customer, donor, etc.) is as valuable to organizations as the any asset they own and use to operate daily. That is not to say that one piece of data is equal to one dollar. However, it is safe to say that the data your organization possesses is valuable when used to tailor your marketing efforts, renew subscriptions, or confirm registration for an event. It is no secret that the people that trust you with their data are becoming increasingly concerned with what you are doing with their data and how you are protecting it from malicious threats.
These regulations and standards are designed to ensure the security of valuable data and if you put them side-by-side, you will see that they share many of the same requirements. This can be seen in Microsoft’s Compliance Manager service. This is a free service that helps Office 365 and Azure customers track their level of compliance to regulations and standards like GDPR, ISO 27001:2013, and NIST 800-171. If you look at the consumer controls for NIST 800-53 in Office 365 and go to the “Access Control” section you will see that the first control, Control ID: AC-1(a)(1) “Access Control Policy and Procedures” also relates to NIST 800-171 control ID 3.1.1, HIPAA 45 C.F.R. § 164.308(a)(3)(i), and ISO 27001:2013 A.9.1.1. Essentially, if you are already working towards compliance for one of the regulations or standards then you are more than likely on your way toward compliance for several others.
A common control across all these regulations or standards, which is either explicitly listed or implied by a statement like “appropriate security of the personal data…” is the need for a valuable Vulnerability Assessment and Penetration Test (VAPT). Vulnerability Assessments and Penetration Tests are two distinct services that help your organization identify the weaknesses in the three elements (i.e. People, Process, and Technology) of any Security Program in place to protect the confidentiality, integrity, and availability of your information and information systems.
What is a “valuable” Vulnerability Assessment and Penetration Test?
Let’s look at each service separately, beginning with the vulnerability assessment. The goal of the vulnerability assessment is to ensure that your information and information systems have been configured, patched, and updated, so they are protected against known threats. The result of the vulnerability assessment will likely be a list of vulnerabilities that affect the targeted environment, and the remediation steps that should be taken to address them. Frequently, companies that offer this service rely solely on automated scans that will provide only a list of obvious and unverified vulnerabilities. A “valuable” vulnerability assessment will go beyond automated scanning and will also evaluate the people and processes elements of your security program. A vulnerability assessment typically focuses on breadth. The goal is to quickly identify and evaluate common vulnerabilities in an organization’s attack surface.
Conversely, the practice of Penetration Testing is more about depth. A valuable penetration test is conducted with little to no initial knowledge about an organization aside from what is discussed during preliminary scoping. In fact, intelligence gathering (OSINT) is an important and often illuminating first step during a typical engagement; organizations are frequently surprised by the kinds and volume of information that are gathered during this stage. With this cyclically gathered information, a good team will use both creativity and technical expertise to discover and exploit vulnerabilities during an engagement.
The difference between a “valuable” penetration test and a “regular” penetration test is in the skill, experience and creativity of the testers, as well as the prioritization of findings. The client may need to be notified immediately if there is evidence of an existing breach, or a critical vulnerability is identified. When choosing a penetration testing vendor, do not be afraid to ask for their credentials and for an example of their previous findings.
The following list is provided to highlight some key aspects of a valuable vulnerability assessment and penetration test:
- Vulnerability scanning using commercial and open source scanning tools
- White-box evaluation of system configurations
- Open source intelligence gathering and system enumeration
- Vulnerability discovery through automatic, manual, and custom techniques
- Vulnerability exploitation and pivoting to other resources
One last note: Not every vendor that provides Vulnerability Assessments and Penetration Tests are created equal. The paragraphs above attempt to identify some differentiators to look for when searching for a VAPT vendor but they are not exhaustive lists. One mistake that is made when planning a VAPT is approaching it as just another checkbox to be ticked and accepting the cheapest quote received. A VAPT is the foundation of any Security Program designed to protect those that trust you. Starting with a weak foundation often leads to ill-informed investments and wasted efforts to protect your data. Taking the VAPT seriously is not only a first step towards regulations or standards compliance, it’s also an opportunity to build trust with your clientele.
To summarize, a regularly scheduled vulnerability assessment and penetration test is a part of nearly every regulation and standard and is a key component of any risk assessment program. As more organizations are being required to comply with these regulations and standards, it can be hard to know where to start. I hope it is clear now that scheduling a vulnerability assessment and penetration test with a reputable third-party is a great way to begin your journey towards protecting these valuable assets.