MWR’s Security Assurance practice area delivers bespoke tactical and strategic security assessment services to help clients develop deep resilience to cyber attack.
+ read more
A guide to the typical options available for security asessments, looking and the pros and cons of each type
I believe it is our job in the industry not just to 'do security' for our customers but to inform, so that they can make better risk-based decisions. With that in mind I have defined four different levels of security assessment, each with their appropriate uses, that organisations can employ:
A vulnerability assessment makes use of automated tools to identify technical vulnerabilities in systems, either through their configuration or maintenance. These vulnerabilities are found by testing for known conditions, and are typically related to outdated software or default configurations that can be actively exploited.
A system-driven penetration test builds on the vulnerability assessment by performing additional manual security testing. This involves exploring any exploitable vulnerabilities further to compromise the system or information exposed, as well as identifying whether any access gained could be used as a pivot to target further systems.
A goal-driven penetration test looks not at IT systems but at attacker goals. The penetration test then seeks to achieve these goals through various means, identifying which attack paths are viable to achieve such a goal and which are not.
The scope is much broader (usually the entire organisation) and supported with knowledge of the organisation, but provides a more realistic view of how an attack would be conducted.
A targeted attack simulation looks to achieve the same objectives as the goal-driven penetration test but is conducted in line with how a real cyber-attack would occur.
All stages of an attack, from target enumeration through to post-exploitation and exfiltration of data are executed. Acting with a degree of stealth allows the organisation to determine not only if an attack is possible, but whether its capabilities are sufficient to detect and respond to the attack within a reasonable time frame.