VioPoint

Information security and risk management stakeholders are constantly challenged to balance budgets, educate the organization about risk, comply with regulations and protect information assets. In addition to wearing these many different hats, the security and risk professional also has to deal with many product offerings, vendors, service offerings, and an ever increasing alphabet soup of industry terms/acronyms.

In our dealings with clients, VIOPOINT often experiences overlap in the use of assessment terminology. While this overlap is generally harmless, it is important to align the organization objectives with the type of assessment being conducted. For the purpose of our comparison in this article (controls based assessment vs. penetration testing), we’ll explore the world of prevention and what this means for security managers. Activities categorized in the prevention realm help the organization take a proactive posture at implementing defenses with the goal of preventing damage to the organization and supporting business operations. A simple example would be implementing a network firewall that separates out the public facing Internet with the internal corporate network. This type of defense serves many purposes but ultimately it provides access control by preventing unauthorized users from gaining direct Internet access to the corporate network.

Assessments

One important type of preventative activity is performing assessments against your own information assets. For our review we’re not limiting the term “information asset” to just technology, as we realize a large portion of security testing and assessments are performed against technology assets. People, processes and physical environments are just as important. The term “assessment” has been attached to a wide variety of security activities which may confuse stakeholders, but ultimately at its highest level an assessment is nothing more than an exercise that attempts to proactively understand weaknesses before a future state event has a negative impact on the organization. These activities can have a multitude of labels attached to them such as analysis or audit, but they can easily be synonymous with each other because they often achieve the same type of result.

In the audit world, stakeholders maintain a pre-determined list of items that the organization should have in place in order to properly protect its information assets or comply with regulations. However, auditing against a list of known items is not limited to regulations, as organizations can set their own internal compliance mandates and choose their own controls from best practices. Whatever the motivating factor, an audit project uses a list of controls to measure compliance. By definition, a control is a safeguard that helps manage risk. By using our previous firewall example, a network security control that you might want in place would be a validation that the firewall is offloading its logs to a centralized syslog or repository. This is an example of one control that an auditor may look for when evaluating compliance.

When compiling the results of an assessment or audit, organizations can measure the results in many different ways. An audit team can use pass/fail when assessing controls but they may also use implemented/non-implemented, compliant/non-compliant and anything in between. This pass or fail type of measurement is simply indicating that the organization needs to comply with a list of controls, and the goal is to strive toward 100% compliance. Of course the keyword is “toward” since many organizations may find it unrealistic to achieve 100% compliance with any regulation or mandate. Using this model of “pass or fail” we are simply measuring whether or not we have a control properly implemented. However, another type of assessment exists that meets the same type of objective, but also takes into consideration a priority level with regards to which controls are more important. This type of assessment is often referred to as a risk assessment.

Without getting into too much detail, risk assessments use many different types of weighting or criticality ratings to influence how the results are used by the organization. Controls are still used to measure the outcome, but some controls are ranked higher and have more theoretical impact on the organization if they are deficient. There are several methodologies used to determine risk, but at the end of the day a risk assessment helps determine the negative impact a business will experience based on the missing controls.

In the previous firewall example, an organization may have several firewalls used to enforce access control at various points in the network environment. Some of them may be more important than others and have a different criticality rating to the organization. If a particular control is missing (the firewall is not forwarding its logs to central syslog), a risk assessment will articulate what parts of the business are at risk. All of these activities are in the spirit of determining what things need to be fixed (or accepted as a risk) in the organization before an incident or event negatively impacts the business. They are proactive activities designed to assist stakeholders with making informed decisions about where to spend their time and money when it comes to protecting information assets.

These types of assessments are very important, but they rarely portray a true representation of how well the organization can stand up to a real world attack. Assessments and audits use theoretical models, asset valuation, regulatory fines for non-compliance and other variables to determine what could happen to an organization that lacks certain controls, but these activities are not real world tests against the actual assets themselves. For this we need to turn to penetration testing.

Testing

Penetration testing is the process of infiltrating your own infrastructure using a specialized team of stakeholders to circumvent existing defenses. From an approach standpoint, these could be malicious attackers or simply a curious user. A penetration test is ultimately a real world exercise of ethically hacking into your environment and demonstrating what types of negative consequences the attack may have on the environment. We cite this activity as being a bit more “real world” than a controls based audit/assessment because quite often the ethical attackers are using the same techniques and tools that the bad guys use. These activities compliment audits and assessments because they add critical information to the feedback loop of the overall information security program itself. Constant auditing, testing and continuous improvement are critical to keeping assets protected from evolving threats and helps balance the risk of the ongoing increase in the value of data.

Let’s take a look at some strategic value that a penetration test can offer that differs from traditional auditing or risk assessments. A compliance or audit team may mandate that a certain list of controls must be in place, and assessments may determine the level of compliance. However, the auditor or assessor must rely on answers from interviewees or data collected by performing validation checks. In fact, for organizations that can’t afford the luxury of highly automated policy enforcement and compliance management systems, auditors can only validate a finite number of assessment answers.

This scenario is where penetration testing is invaluable. It provides that additional layer of validation to determine if policy is truly being enforced and if controls are truly offering adequate protection. It’s perfectly logical to assume that sometimes interviewees may respond to an audit favorably and tell the assessor that certain controls are in place, but a penetration test can prove otherwise. Penetration testing may also offer security stakeholders additional insight to their own controls management architecture. In the end, a list of controls may turn out to be inadequate and the organization may need to alter the list based on the results obtained by penetration testers. Assessments and audits by themselves cannot offer this insight into real world testing of defenses and controls. Additionally, you could make a case for penetration testing by demonstrating that it helps support prevention, detection and correction activities. This approach is proactive and it tests how well an organization can detect a breach; how well it can respond to one. We’d also be remiss if we relegated penetration testing just to technology. Testing social engineering weaknesses (emails, phone calls, physical, etc) is an integral part of penetration testing as well.

Blended Approach

Both controls based assessments and penetration testing exercises are an important part of determining the overall security posture of an organization. They also establish a benchmark for how successful a security program is overall. Organizations that simply react to problems and do not invest time in proactive assessments and real world testing exercises miss out on understanding the true state of security within their organization. A proper combination of both activities scheduled at reasonable intervals throughout the program lifecycle is imperative. Knowledge is power when attempting to manage risk and the old adage of “you cannot manage what you do not know” rings true when dealing with information assets.