Vulnerability Assessment, Penetration Testing and Red Teams Explained

Confused about vulnerability testing and penetration tests and Red teams? I’m not surprised one bit.

These days, a growing number of information security experts use the terms "vulnerability testing," "penetration test," and "red teams" interchangeably, as though they refer to the same thing. No matter the reason, security service providers are only confusing the matter by not informing their customers of what they get with each of these services. More importantly, they should be telling their customers what they do not get.

At the time of this article's original publication, two big privacy stories were dominating the technology headlines. Facebook was facing an outraged public as part of a serious privacy debacle, while the brand new EU GDPR regulation was preparing to take its first steps into better protecting individual privacy.

These two issues alone pushed a glut of companies to review their security policies and procedures. Ultimately, understanding the issues, the requirements, and the definitions of the terms is key.

So, to understand the differences and pros and cons of each of these activities, read on. This clarification piece may help weed out knowledgable security practitioners from those who simply aim to "close the deal."

Vulnerability Assessments

Vulnerability assessments can be a useful tool in the information security arsenal. Like traditional anti-virus, a vulnerability assessment is essentially automated scanning services being deployed across an environment. The goal is to scan for known vulnerabilities across many services, logging them so that an IT team can effectively and efficiently review the findings in the logs in order to address known problems.

Vulnerability assessments can also highlight configuration settings that may be cause for concern. Automated data will be fired at the target system across a number of ports, protocols, and services. The system collates the findings, automatically highlighting potential areas of concern.

Running up-to-date vulnerability scans on a regular basis, be it monthly or quarterly, is recommended. Once the preparation work of selecting the correct test for your environments is complete, the actual running of these programs is not time- or resource-intensive, and the findings, if properly addressed, can reduce overall digital risk posture.

Penetration Tests

To perform a penetration test correctly, it is essential to have well-above-average cyber skills. Real penetration tests are not automated, "push-a-button-and-sit-back-for-the-results" exercises. Under the strictest of definitions, an organization will hire a penetration testing team to test specific attack vectors in order to understand how a system or procedure may be vulnerable to a modern attack.

Penetration testing is typically performed against a predefined number of targets provided by customers and is designed to test known exploits against known vulnerabilities. For instance, an application penetration test against a predefined application could focus on specific weaknesses within a custom-designed web application. In this example, the target is a single web interface, and the vector of attack is a web browser connecting over a network.

A penetration test tries to exploit active weaknesses in a specific digital environment in the same manner any bad actor would. The point? Test the vulnerability of the system under real-life modern attack conditions and review the findings to establish whether current operating risk levels are acceptable.

A typical exercise might ask, "What customer and prospect PII could an outside attack agent walk away with if they are targeting cloud services?"

In this instance, the penetration tester would create an attack strategy and decide on methodology, timing, and tools. There may be elements of social engineering that are included to test how easily staff unwittingly part with sensitive information. Each proper penetration test is honed for a specific task.

This real-world testing of systems continuously pokes and prods the network or application using a wide range of attack vectors, all without disrupting availability or business continuity.

Proper penetration testing services, where highly trained infosecurity hackers design cutting-edge attack methodologies specific to an organization’s requirements are more time and effort intensive, but the results can yield excellent insight into current defenses from the attacker's point of view.

So, anyone offering out-of-the-box penetration tests may actually be offering an automated scan of the company's network/application or just the elements of a vulnerability test. It is important to ask the service provider what percentage of testing will be conducted manually and what percentage is automated.

Red Team Services

With the rise in data breaches, ransomware, phishing attacks, and security incidents, many companies today prefer to have more in-depth testing of their organization's overall security posture. For those organizations, red team services would be the answer.

Red teaming is an advanced offensive security service that mimics real-world attackers--from opportunists to nation-state actors. Red team engagements focus not only on the obvious vector/target (web client/web application/network) but will also consider other direct and indirect attack methods such as using social engineering to gain access to valid user credentials, attacking adjacent systems (not just the web server), physical attacks against the office space, and/or deployment of malware or conducting wireless networking attacks against a trusted office network.

A typical red team service is designed to test posture over the period of a year, effectively mimicking attacker behavior. After all, bad actors aren’t limited to a two-week, one-time engagement, so why should companies constrain testing to that timeframe? This continuous testing of an organization's security posture provides the greatest assurances, giving early warning signs whenever anything suspicious or unusual is found.

Red team engagements, done properly, are a surefire way to reduce the information risk level. When talking to an information security services provider, be sure to ask them if they test all attack vectors to ensure the organization as a whole is being tested or if they’re simply performing a penetration test and referring to it as a red team service.

Acknowledgments

We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.

Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.

Kevin can be reached at [email protected] or +1 843 890 8596.