Think of your annual cyber security penetration test like a routine dental check-up. Your teeth get special attention before the appointment; the dentist says, ‘gold star for you’ and that’s it for another year. But is this a true reflection of how you look after your teeth?
With a pen test you prepare everyone for a set date. It is an artificial test. It doesn’t reflect real world environments at all.
In the real world, 43 new common vulnerabilities and exposures (CVEs) appear every day. That’s over 15,000 per year: a new vulnerability every 30 minutes.
No hacker tells you when and how they’ll attack, so how secure does your pen test really make your business?
Enter continuous vulnerability assessment (CVA). It checks constantly for CVEs and is more cost-effective too.
What is CVA?
CVA is a software suite deployed on your network behind your firewall. It connects to all your machines, checks what is installed on them, and sends prioritised alerts detailing actions to fix vulnerabilities.
Good platforms see everything – computers, routers, switches, IoT devices, cameras and firewalls. They scan internally for software vulnerabilities and externally for advanced threats, actively testing each vulnerability. They can also be integrated with automated patching tools to eliminate manual patching.
How you control your scans is up to you. Scanning can be managed to avoid overloading the network, with zero disruption to your teams. Typically, you’d run a light daily/weekly scan, a heavier scan monthly, then a quarterly full-on attack style disruptive scan, which actively tries to break things.
Our recommended platform uses an additional agent on each endpoint that reports back to the assessment engine even without scanning. It doesn’t matter whether that machine is in your office or on a plane in Hong Kong. You see updates on your software console and adjustments to your overall security status in real-time.
Doesn’t my anti-virus scan for vulnerabilities?
Anti-virus scans are not CVA, so don’t be fooled. AV tools can’t be deployed on some devices like switches and routers.
Cisco, for example, has had massive vulnerabilities at the network layer. A hacker could easily redirect traffic, listen in on everyone, or initiate a denial-of-service attack. They could literally shut the business down by hacking routers and switches. If you have hundreds of switches like some of our clients, manual checking is not feasible. Automated alerts are really essential in this scenario.
Support your IT team and drive business-wide security awareness
CVA shows you exactly what is installed on every machine, presenting business-wide security and risk ratings in simple metrics.
A typical prioritised-by-risk report shows you the top 20 tasks that will remediate the most risk, with tickets automatically distributed across patching teams.
Some larger businesses use CVA to successfully gamify updates. Multiple teams ‘play’ for the fastest patching record. It creates competitive tension and changes the dynamic regarding importance of security across the wider organisation.
Save the penetration test for your people
Penetration testing is still 100% essential, but not for technology. Pen testing’s true value lies in assessing your people, your processes and your physical security through social engineering, ‘dumpster diving’, wireless attacks and more.
During a physical penetration test on a bank, I accessed the network by simply calling the CEO’s PA. I said, ‘I’m calling IT on behalf of Mr X. He’s struggling with his password…’ She confirmed it for me immediately.
There is no patch to prevent your workforce handing over key data or letting someone into the building to physically plant equipment. This sort of physical breach is extremely dangerous and can only be prevented by following good process.
Check for dirt on your staff too. Their vulnerabilities are potentially yours, leaving you open to insider threat. If your business is large enough to be a specific target, you need to know your people-based vulnerabilities because guaranteed, someone is already looking. Background checking is becoming more prevalent, but more needs to be done.
How much will it cost?
An annual CVA contract usually costs less than a one-off technology-based pen test and delivers way more bang for your buck.
However, CVA is not comparable with a thorough penetration test. These can cost more but their value can’t be overstated. The good news is that if you’re running CVA, these investigative pen tests don’t need to happen every year.
CVA supports compliance
Good CVA platforms help you meet all regulatory standards, alerting you to compliance errors during every scan, such as overdue patching which compromises Cyber Essentials or ISO.
While everyone should be achieving CIS level one benchmarks (see January’s Secure Remote Access article) poorly configured machines are sometimes just reality if they form part of your supply chain. The important thing is these can be logged as exceptions, ensuring compliance and insurance criteria are unaffected.
Questions for IT
• What tools do we use for vulnerability management?
• Are we carrying out continuous scans?
• Does this include machines, IoT, routers, switches etc?
• Where is that reported?
• Do we have SLAs?
• How do we prioritise alerts and patching?
• Do we adhere to any external policies like CIS and where is this tracked?
• How do we know if we’re non-conformant, particularly now with remote working?