In order to ensure your cyber security goals are achieved, selecting the correct type of cyber security assessment is crucially important. At Wilbourne, we work collaboratively with our clients to ensure the most appropriate assessment is performed, taking into account our clients' objectives, security maturity and budget. Where this care is not applied two potential situations could arise:
Organisations who operate complex digital environments, typically larger organisations, may procure a security assessment that is too basic for their needs and does not adequately test their processes and controls.
Organisations who are at the start of their security maturity journey and do not have appropriate foundational security controls in place, typically SMEs, may procure an assessment that is far too complex and does not address their most pressing needs
Ultimately, in these situations the organisations may be left with an assessment focused on the wrong areas, a long list of recommendations which they simply don’t have the budget to remediate, or worse still, a false sense of security around their assessed infrastructure.
This article hopes to clarify the differences between these services and when they are most appropriate to use.
Cyber Security assessments have evolved over time
All types of technical cyber security assessments will typically provide information, often in the form of a report, containing recommendations and advice on how to protect your organisation from cyber attacks. However this is where the differences start, the depth, breadth and your perceived level of risk will vary greatly depending on the service performed. This is why understanding what is involved is crucial in performing security assessments.
Historically, a penetration test involved an assessment performed against an entire organisation, asking the questions,
How susceptible is my organisation to a cyber attack?
What techniques would an attacker use to gain access to our data?
Will this cause financial or reputational loss?
With the introduction of time and scope-limited penetration testing services, these types of engagements are often diluted down to a vulnerability assessment. The resulting report listing technical weaknesses within the organisation’s infrastructure environment, a useful exercise in itself, however it does not help the client understand their susceptibility to a cyber attack and answer the questions above. The introduction of simulated cyber attacks or ‘red team assessments’ was a move by the industry to replace what were traditionally known as ‘penetration tests’ and answer that question again. This has created three different types of assessment which are now common across the industry.
What actually is a cyber security assessment?
Each type of assessment has its own pros and cons and a place within comprehensive security programs of mature organisations.
Let’s take a look at each one in more detail:
Vulnerability Assessments - used to identify known weaknesses in your systems or infrastructure. There is no exploitation of these vulnerabilities, meaning that the weaknesses are not acted upon and therefore the true extent of the risk cannot be appropriately measured. Vulnerability Assessments can however be effective in quickly profiling your system or environment for weaknesses.
If you imagine performing a vulnerability assessment against a house; the assessment would reveal that the garden gate is broken, a window is ajar, the locks you are using are old and can be lockpicked easily, but the consultant would not attempt to go inside the house.
Penetration Tests - take vulnerability assessments one step further and typically involve exploitation of the vulnerabilities. In other words, taking action on the weaknesses identified in order to achieve the cyber attacker’s goals, typically to access sensitive information or data, providing the client with the impact and risk to their environment should a cyber attack occur.
Going back to the house analogy, during a penetration test, the consultant would pass beyond the broken gate, pick your locks, and proceed to tell you how an attacker would be able to find your priceless jewellery in a box in your bedroom.
Crucially, vulnerability assessments and penetration tests will not test response capabilities of the organisation (such as, how the organisation reacts and deals with a cyber attack) – this is where the red teams come in.
Red Team Assessments – are designed to simulate cyber attacks and measure the organisation’s ability to detect, respond to and prevent cyber attacks. These assessments are designed to be goal or objective based and are often combined with threat intelligence to mimic real world threat attacker techniques and targets.
Again, back to the house analogy, red team assessments look at identifying a way of taking the jewellery from your house in such a way that the people inside are unaware that it has been taken, much like a burglar would. But what happens if someone spots the activity? How do they respond? Will the house alarms go off? Are the police called?
This of course is a very simplified analogy of how cyber security assessments work; but it demonstrates the key differences between the different services.
Further confusion
Another misconception is that these different assessments are different tiers of the same type of assessment and it is often considered that vulnerability assessments, penetration tests and red team assessment, are orders of magnitude of the same thing, this is simply not the case. Each assessment has its own merits and can be utilised in different circumstances. The most appropriate for you is the one which aligns best with your organisation’s goals, requirements, and security maturity.
Choosing the right assessment for you
When considering the most appropriate assessment for your organisation, your security objectives, scope and maturity should all be forefront of your decision. Performing a red team assessment against your organisation when you do not have appropriate processes and procedures in place to detect and prevent cyber attacks may not be the most appropriate use of your budget and therefore a wasted opportunity at identifying the key risks facing your organisation.
Our security experts at Wilbourne offer bespoke evaluations based on your organisation’s needs and requirements. Please do get in touch with us so we can work with you to improve your security in a way that adds value and helps keep your ‘house’ safe. We have an extensive level of experience in performing all types of assessments and will work with you to ensure we perform the most appropriate service for your security maturity journey. Contact us now to explore how we can work together.