Vulnerability Assessment and Penetration Testing can give you a quick and detailed analysis of your current internal and external exposure to breaches that threaten critical information assets.
This is an essential step for businesses to determine the necessary next steps for maintaining the security level.
Vulnerability Assessment
Vulnerability Assessment (VA) is a process for identifying inadequate computer and network securities that cause technological weaknesses. It includes methods for prioritizing and implementing additional security measures for fixing and protecting systems.
Penetration Testing
Penetration testing allows organizations to proactively assess vulnerabilities using real-world exploits, allowing them to evaluate the potential for their systems to be subverted through hacking and malware schemes in the same manner that attackers employ. It also serves as the most effective manner for determining the efficacy of security point solutions and systems defense mechanisms by actively analyzing whether or not those protections can indeed be circumvented by attacks.
Most importantly, penetration test results enable IT staff to delineate critical security issues that require immediate attention from those that pose lesser risks to help prioritize remediation work.
Quantifying Risk & ROI In VA/PT
Q: What is the course for the budget-strapped executive, who assumes that the current security systems are good enough, robust enough, and up-to-date enough to stop the next wave? How does he prove due diligence, and assure all stakeholders that their confidence in the systems under his control is well placed? A difficult, costly and often intimidating process!
A: Clearly, the only solution is to monitor and assess the exact vulnerability state of every component of the infrastructure constantly and consistently. Outsourced security operations will offer many advantages and excellent services in this regard, which can greatly enhance the overall security level of the enterprise.
A: Clearly, the only solution is to monitor and assess the exact vulnerability state of every component of the infrastructure constantly and consistently. Outsourced security operations will offer many advantages and excellent services in this regard, which can greatly enhance the overall security level of the enterprise.
The return on investment for Vulnerability Assessment and Penetration Testing can be compared to the ROI calculations of firewalls, IDS, IPS, biometrics and the like.
To illustrate this concept: the necessity of a firewall is clear for any Internet-connected concern, and its worth can be clearly demonstrated in pure risk mitigation and network protection terms. The continual stringent maintenance and accurate configuration of that firewall, however, directly impacts its effectiveness and therefore its worth, and hence ROI.
Regular assessment of its configuration, and timeliness of patching newly discovered problems, maintains or increases the effectiveness, and therefore the worth of that firewall.
True ROI calculations for vulnerability assessment must include the real threat that a compromise of these assets poses to the security of other, linked and/or underlying systems, data, and processes.
To illustrate this concept: the necessity of a firewall is clear for any Internet-connected concern, and its worth can be clearly demonstrated in pure risk mitigation and network protection terms. The continual stringent maintenance and accurate configuration of that firewall, however, directly impacts its effectiveness and therefore its worth, and hence ROI.
Regular assessment of its configuration, and timeliness of patching newly discovered problems, maintains or increases the effectiveness, and therefore the worth of that firewall.
True ROI calculations for vulnerability assessment must include the real threat that a compromise of these assets poses to the security of other, linked and/or underlying systems, data, and processes.
Facts About Information Assets
· The value of information is often considered to be at least as important as the value of a company's physical assets.
- Protecting the confidentiality, integrity, availability and authenticity of company information is important to the company's ability to function in today's business environment.
- A breach of a company's information systems could result in the disclosure not only of its information, but also its clients' sensitive data.
- Biggest threat is unauthorized users - including insiders, hackers, corporate raiders / intelligence gathering companies (they use and sell this information to other companies) and professional criminals.
- Most E&O, liability, business continuation and property insurance policies require a proactive security policy - and VA/PT go a long way in satisfying that requirement
- Statistically, the average percentage of a company’s information technology budget that is spent on information security is between 1-2% of average revenues
Three Drivers In Decision To Proceed
What is the loss resulting from a breach occurring?
- Downtime
- Compromised / damaged / stolen data
- Monetary cost
- Legal costs
- Costs related to loss of system / data availability
- Lost business
- Internal / external services to correct / remediate situation
- Costs related to loss of information integrity / confidentiality
What is the probability of a threat occurring?
- Challenge, status or thrill
- Every day, your network is being scanned and probed by a variety of automated tools and people seeking nothing more than "breaking in". This occurs whether you know it or not - guaranteed, so the threat is indeed real - it's happening today.
- Most first time exploits go undetected. You usually don't know about it until it is too late and the damage has been done.
- Damage to electronic assets, data, reputation or ability to conduct business.
- Can occur purposefully, by accident or by random "luck of the draw"
- Loss of customer trust
- Ability to win future business
What is the probability that that a threat would be successful?
- Probability of an asset being compromised can be estimated based on the availability and ease of performing the exploit and the attractiveness of the target.
- This probability of compromise is then combined with the possible loss or cost resulting from a security breach to determine a risk value for the asset.
- Until an assessment is performed you don't know how available or easy it is for a vulnerability to be identified and exploited.
- What you don't know, CAN hurt you.
- Unknown vulnerabilities make a target very attractive and without regard to the company or what it does, once vulnerabilities are identified they are posted on various Internet sites for all to see - and take advantage of.
- Firewalls are not enough.
Your investment is small relative to the cost of a vulnerability being exploited!
