Penetration Testing, Vulnerability scanning and patching; what are they, when to do them and why you need to know

Peter Yapp, our regular contributor on cybersecurity, give some tips on how not to fall into the 'digital sand' of today's interconnected world by using testing, patching and vulnerability scanning.

It is an unwelcome reality that computer systems are insecure. The only 100% safe computer is one that is switched off, disconnected and in a cupboard. Such a device is of no use to anyone! When computers and the internet were first being designed, there was little thought of security. 

In 1969 when the first version of UNIX was written, those early pioneers could not see of any use case that would require the sort of security that is essential today. We all use UNIX in one form or another - Mac OS X is a variety of UNIX and Android is effectively Linux tailored for a smartphone. UNIX-based systems are inherently more secure than the Windows operating system because everything is modular. But fundamental flaws still remain in the operating system’s design. The Unix superuser remains a single point of security failure. Any attacker or insider who can become the Unix superuser can take over the system, booby-trap its programs, and hold the computer’s user hostage, often without their knowledge.

For all operating systems, not only is design important for security, but also good administrator practices and vigilant end users. Users should not open attachments they are not expecting or from unknown senders, whatever system is being used. But however good you are, providing 100% protection to an organisation's cyberattack surface is impossible.

It is against this background, an interconnected world built upon digital sand, that I recommend three tenets for security. There are many more, but I want to concentrate on patching, penetration testing and vulnerability scanning for this article.

Patching

We can all help improve security by patching. What is patching? As the UK’s National Cyber Security Centre states “Vulnerabilities in technology are always being discovered and in response, vendors regularly issue security updates to plug the gaps. Applying these updates - a process commonly known as patching - closes vulnerabilities before attackers can exploit them. Patching can also fix bugs, add new features, increase stability, and improve look and feel (or other aspects of the user experience)”. Next time you receive a software update for your phone, tablet or laptop, click on yes and keep up to date and more secure. Almost all of these patches will include some element of improved security, even if that improvement is buried under a raft of new emojis, colours and layouts.

Patching remains the most important thing you can do to secure your devices and is why applying patches is often described as fundamental to all you do. And it applies even more to the corporate environment than it does to your personal life. The problem is that patching in this environment is not easy.

If patching was easy, we would all update all our software and operating systems immediately. But we don’t and neither do our suppliers. Part of the problem is the sheer number of vulnerabilities identified for patching in any one year, a number which keeps on increasing year on year – see chart below:

vulnerabilities growth graph

Not only are there so many vulnerabilities being identified, but in 2020 57% were classified as being ‘critical’ or ‘high’ severity (vulnerabilities that you absolutely should patch). Of course, not every organisation will be using all of the versions and all of the software identified, but these easy routes for hackers to use are spread across many different products including Adobe, Apple, Cisco, Google, IBM, Microsoft, Oracle and many more.

Vulnerability Scanning

If we are not patching everything we can, what is a way of prioritising what we really should patch? Carrying out Internal or external vulnerability scanning. You will need a commitment that resources will be available to carry out the patching, but a good starting point is an external scan of your internet facing network. This is what the hacker will see, and some have been known to just target attacks on those with particular vulnerabilities. These external scans can be automated to check your network continuously and used to check on the higher risk suppliers (i.e. those who have digital access to your network) from your supply chain.

If you have the budget to carry out internal vulnerability scanning, this will give you a better view on the state of your digital security, although an external scan will still give a good indication. Again, you need to ensure you have the resources to take action from the findings and for many organisations this will mean outsourcing the function in order to obtain the requisite skills to understand, prioritise, patch and/or take the appropriate mitigating actions. 

Systems and applications are constantly created or changed, and the pace of change is ever faster. It is a huge task for any security organisation to stay up to date with all of the changes, but vulnerability scanning will help. This should allow to identify programs or equipment that has been set up without the knowledge or involvement of security or IT, that is no longer used and has been forgotten about and has been used for short-term testing but has not been decommissioned.

Penetration Testing

Whereas vulnerability scans look for known vulnerabilities in systems and report potential exposures, penetration tests are intended to exploit weaknesses in the architecture of your IT network and determine the degree to which a malicious attacker can gain unauthorized access to your business. You need both.

You should view penetration testing as a method of assurance for your organisation's vulnerability assessment and management processes, not as a first step in identifying vulnerabilities.

Penetration testing is a good way to test cybersecurity, but do not limit the extent of the digital environment to be in scope; you need to have as realistic a picture as possible by testing as much as you can. 

Cybercriminals will look for the easiest, least time-consuming way to achieve their goal. These attackers have access to numerous tools, techniques, and services that can help them find the weaknesses across all of your organisation's systems.

Penetration testing is a series of activities undertaken on your behalf to identify and exploit security vulnerabilities. It helps confirm the effectiveness or ineffectiveness of the security measures that have been implemented.

Periodic penetration testing should aim to discover and address the unknown entry points and internal traversing routes within your system.

There is limited value in testing only a portion of your attack surface periodically. Unless you continuously discover and test your entire external attack surface, you won't have a complete understanding of how (in)secure your organisation is.

The testers will make every effort to avoid causing disruption to the system being tested. However, due to the nature of penetration testing, it's impossible to guarantee that no unexpected consequences will occur.

Tests fall broadly into two types: Whitebox and Blackbox testing. Whitebox is where full information about the target is shared with the testers. This type of testing confirms the effectiveness of internal vulnerability assessment and management controls and will cost less. Blackbox is where no information is shared with the testers about the technical details of the target. This type of testing replicates an external attacker’s view but takes longer (and costs more) as background reconnaissance has to be carried out first.  

Once the test has been completed a report should be drawn up that includes any security issues uncovered, severity ratings, an assessment as to the level of risk that each vulnerability exposes the organisation or system to and a method of resolving each issue found.

A debriefing can also be useful.

------------

Comparing Penetration Testing to Internal and External Vulnerability scanning

Penetration Testing

Advantages: Deeper dive. Approach with a hacker’s mindset.

Disadvantages: Like an MOT test on a car – only tells you if are ok on the day.

Advice: Change the individual carrying out the pen test each time to get a different perspective. Have penetration tests carried out by an external provider at least once every year.

Internal Vulnerability scanning

Advantages: Can give an update every day. Warns you of any new server/software that has been misconfigured straight away. Gives a view on what a rogue insider might take advantage of.

Disadvantages: Can become overwhelming with the number of vulnerabilities identified. Requires sufficiently trained and experienced resources to prioritise and mitigate risks. 

Advice: Look at outsourcing part or all of this function if you are a small or medium sized organisation.  

External Vulnerability scanning

Advantages: Gives an update every day. Warns you of any new server/software that has been misconfigured straight away. Useful to carry out on those who are of a higher risk in your supply chain.

Disadvantages: Only gives you an external view.

Advice: Think of this as the cyber equivalent of a financial credit check. Carry out due diligence (or get a third party to) on the main players in the external vulnerability scanning market who are based in the USA (all have a footprint in the UK).

----------

Patching, vulnerability scanning and penetration testing should all be part of your armoury in trying to counter the potential attacks on your business, the security for which was built upon digital sand.

profile picture of peter yapp

Peter Yapp, Cyber Partner at Schillings Peter started his career in investigation and has been involved in computer forensics for nearly three decades. He was a deputy director at the UK’s National Cyber Security Centre and now provides pre and post cyber security incident advice to a range of individuals, companies, boards and operators of essential services. 

Published: 2021-07-29T10:00:00

    Please wait...