Information security testing is a growing trend among small and medium-sized businesses (SMBs). IT consultants are increasingly offering security services and expertise, giving users more options to choose from and more interpretations of what security testing actually is. This makes decision making more difficult than necessary.
But there are a few general options for security testing:
- Penetration testing
- Vulnerability assessments
- Information risk assessments
- Security audits
These methods are sometimes referred to as ethical hacking. That's because some of the tools and techniques that the IT professionals use are the same as what the bad guys use -- the motivations are just different. Although the end results are to improve information security within an organization, the differences between these methodologies are like night and day.
Some consultants will offer security audits when they're actually just performing penetration testing. Others will say they're going to perform an information risk assessment when they're doing little more than running automated vulnerability assessment tools. Given all the options, how are you supposed to wade through the hype to figure out which service you need?
It's not just semanticsIt seems like practically everyone defines these security testing options differently. Here are some general definitions, based on company Web sites and conversations with IT consultants:
Penetration test -- A penetration test (also called a pen test) is an attempt to try to break-into a computer, a Web application, or even an entire network -- from across the Internet or a dial-up modem. With this test, you will be able to prove that someone can access critical systems or confidential information from the outside.
Vulnerability assessment -- A vulnerability assessment is a test or series of tests that look at various vulnerabilities (usually technical as opposed to business processes) within your internal or external computers, network and perhaps even Web applications. This assessment will enable you to find out what vulnerabilities exist in the various systems so they can be patched or reconfigured to keep hackers or malware from exploiting them for malicious purposes.
Information risk assessment -- An information risk assessment is a very comprehensive look at both technical and procedural issues related to how information is handled, processed and stored within an organization. This can include penetration testing and vulnerability assessments, but it also includes less technical business-related issues such as user awareness training, security policy enforcement, vendor and remote access management, patch management and adding/removing users. You will be able to determine overall threats and vulnerabilities within your information systems to calculate risk and assess which systems and business processes need to be fixed to improve information security within the organization. A side benefit of this test will be insight into what security policies and procedures need to be put in place.
Security audit -- A security audit is a comprehensive look at information systems and business processes (similar to an information risk assessment) to see if security policies are being adhered to -- typically performed on an annual basis. Much like a financial audit, it provides insight into whether or not you're doing what you say you're doing. You will be able to find policies that are not being complied with and provide insight into how technical systems, security policies and IT procedures can be fixed to improve information security within the organization.
Making the Right Selection
Once you know the primary differences among all the security options, it's just a matter of figuring out what you need when. A midsize company will likely want to start with a pen test or combination of a pen test and a vulnerability assessment. If you must adhere to one or more of the emerging regulations such as GLBA (financial industry) or Health Insurance Portability and Accountability Act (health care industry) -- either as a covered entity or as a business partner of an organization that's required to comply -- you'll likely need all of the above.
If your organization is covered by one of these regulations or if you simply want the best protection for your electronic information, you could have a third-party perform an information risk assessment. This third-party would perform ongoing pen tests and vulnerability assessments every quarter or biannually, depending on how critical the information is that you need protected. You could then end every calendar or fiscal year with a security audit to keep things in check.
Regardless of what outside experts tell you, make sure you understand what you need before getting started with any security testing. Find out what the specific deliverables will be and ask for samples of previous work. Otherwise, your precious IT dollars might be spent with no return -- a risk no SMB can afford to take.
Kevin Beaver is the founder and principal consultant of the information security services firm Principle Logic LLC, in Atlanta, where he specializes in information security assessments and incident response. He has more than 16 years of IT experience in and is the author of several books on information security, including the new title Hacking For Dummies by Wiley Publishing. Kevin can be reached at firstname.lastname@example.org.