Penetration Tests. Five good reasons to do vulnerability assessments as well.

Penetration tests vulnerability assessment

Regular penetration testing is a vital part of any network security protocol. But many organizations limit pentests to a couple of times a year … because although the benefits are worthwhile, the disruption to the network and users can be significant.

Yet there is a way that network security managers can preserve all the benefits of their rigorous pentest program, and also reduce the impact that regular penetration testing has on the business.

A daily Vulnerability Assessment is an unobtrusive way to perform a background check on every server in the network. It’s like starting each day with a quick health check, so that you’re in good shape for the in-depth, bi-annual medical exam that a full pentest provides. Better still, the cost is minimal and there’s no effort or system overhead. Read on …


Quick overview of Vulnerability Assessments.

If you’re new to the concept of vulnerability assessments, here’s the 20-second overview of what the SecludIT Elastic Detector solution offers:

– Scans the network & servers for a list of security threats that is updated daily.
– Auto discovery of virtual machines and servers. No complex configuration.
– Option to test clones of servers. Zero risk or testing overhead for users.
– Can even test clones of dormant servers … so they’ll switch on safely.
– ‘Set & forget’ configuration. Auto alerts to administrators when threats are found.

So, that’s the brief overview of a Elastic Detector.

Now, five reasons why a vulnerability assessment can make your penetration tests faster and more effective … and how a daily assessment protects your network assets in between pentests.


1. Reduce the threat ‘window of opportunity’ by 99%.

Hackers are, by nature, opportunistic. They will probe networks and, if they find a vulnerability, exploit it. If an initial inspection of the network does not reveal any of the well known vulnerabilities, the average hacker will move on.

Penetration tests give a powerful simulation of a hacking attempt. But as the pentest only happens every few months, that means some vulnerabilities could be in place for a long time.

A daily vulnerability assessment (Elastic Detector can be configured for more frequent assessments, if required) means that hackers have a short window of opportunity. In this example, the hacker has about 23 hours in which a) a new threat has to emerge and b) the hacker decides to target your site for that threat. Your risk is minimized.

However, if you leave threat tests for a six-monthly penetration test, that window of opportunity increases to some 4,320 hours. That’s a lot of time in which hackers can get round to visiting your site and exploit weaknesses since your last pentest. Your risk is maximized.


2. Reduce the pentest alerts by dozens of events.

In 2015 alone, Elastic Detector has added about 20 new threats to its checklist every day. In a six-month period, that adds up to about 3,600 new threats which could evolve between bi-annual pentests.

OK. Not all those threats will be relevant to your network. But even if only 20% of them are relevant to your assets … that means your pentest will have about 720 alerts to deal with. That’s a massive amount of work for the pentest to handle.

This is one of the reasons why pentests can be so demanding of system resources (and, perversely, it’s also the reason why pentests are held infrequently … which actually only serves to make the problem of disruption even worse!)

However, if you are running daily vulnerability assessments, those threats will have been discovered and dealth with before the formal penetration test. That makes the pentest faster and less disruptive. So now your users might not even notice that a major network event is underway.


3. Pre-test virtual machines which are switched off.

A penetration test might leave dormant machines behind … or occasionally switch them on and, in doing so, unlock a blizzard of security threats which quickly compromise the network. It is prudent for pentests to switch on any dormant machines … but the risks can outweight the benefits.

Also, most often modifications made between pentest aren’t taken into account. So the pentest is like a snapshot that is valid when it is done, but subsequent changes may add new vulnerabilities.

The Elastic Detector vulnerability assessment can be configured to make a clones of dormant servers … and then safely switch on the clone and test the clone for threats. To reduce risks, further clones are isolated in a sandbox and destroyed after assessment.

That means no nasty surprises when you come to the full bi-annual formal pentest.


4. Ensure business continuity between penetration tests.

If an airline said it was only going to give its aircraft a maintenance check once every six months, passengers would feel more than a little concerned! It’s the same with pentests. A bi-annual ‘major service’ for your network is a great idea, but problems can still evolve in between.

A vulnerability assessment supplements your penetration test with a ‘little & often approach’ that highlights vulnerabilities before they can be exploited.

Network security managers have the reassurance of knowing they will receive alerts 7 days a week if threats are found. But without a daily vulnerability assessment, the security team have the anxiety of wondering what dark secrets the next pentest will unlock … and if their network is already compromised.


5. Make pentests a formality, not a major event.

By identifying and solving problems ‘little and often’, your network will get a daily healthcheck and close the window of opportunity for hackers.

The end result is that your penetration tests becomes the final seal of approval for the integrity of your site, assuring the c-suite that the network assets are secure, and the subject of business continuity has been properly addresses.

Sergio Loureiro, founder and CEO of SecludIT, says: “too often, people think of penetration testing as the solution to find threats, but frequent vulnerability assessment is actually the foundational on-going process you need as part of your production quality control process. Pentesting is a forceful experiment, an attempt to breach the system to check its resistance as part of your quality assurance testing process. Vulnerability assessments and pentests are very complementary processes.”

Loureiro added: “In 2015, we’ve been adding about 20 new security threats a day to the Elastic Detector checklist. And every day we carry out more than 5,000 individual virtual machine scans tests on behalf of our customers, which enables us to see trends and even predict where the next big threats are evolving. New users of Elastic Detector are often amazed by the number of threats we discover. In fact 98% of our scans discover vulnerabilities.”

Leave a Reply