Integrity Blog

If your organization uses the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, you are probably already aware that efforts are underway to develop Revision 5. NIST, as always, has solicited and received a substantial number of comments regarding the current document, as well as recommendations for adjusting the document to better suit non-federal entities, including businesses, academia, and state, local and tribal governments. As more and more non-federal entities adopt and use NIST standards, NIST is taking steps to make the controls catalogue more adaptable and usable for a broad array of organizations.

The following information summarizes the expected changes:

  • To be more inclusive, the term “federal” will be removed to the extent possible.
  • The term “information system” will be replaced with just “system” to be more inclusive of various types of systems, such as industrial control systems and Internet of Things.
  • To improve the documents structure, and to make it easier to find and compare controls, both the program management and privacy controls sections will be integrated into the main controls section. This change enhances the relationship between privacy and security controls, and reinforces the importance of overall program management of information security activities within organizations.
  • Priority sequencing codes (i.e., P0, P1, P2, P3) will be removed. Feedback indicated that the intent for these codes was being misinterpreted; however, removing them provides organizations with better flexibility in sequencing the implementation of controls.
  • Keywords and hyperlinks will be integrated to assist users in navigating the document and finding information.
  • Introductory terms within the controls (i.e., “The organization…” and “The information System…”) will be removed to make the controls “outcome-based,” to better align the controls with other NIST guidance, and to remove ambiguity regarding responsibility for implementing the controls.

NIST is planning on releasing the first draft of Revision 5 for public comment at the end of March 2017. If you are interested in additional information from NIST about the expected changes, please visit: http://csrc.nist.gov/publications/drafts/800-53r5/draft_sp800-53-rev5_update-message.pdf

For a copy of the current SP 800-53 Revision 4, as well as other NIST SP 800 series documents, please visit: http://csrc.nist.gov/publications/PubsSPs.html

Penetration testing is complemented by vulnerability scanning.

Penetration testing and vulnerability scanning are different services. However, there are also some similarities, leading to the confusion. In this article, we will compare and contrast these services.

Vulnerability scanning is an automated process that utilizes tools to seek known security vulnerabilities in your systems. The scan delivers a lengthy report of potential exposures that may threaten your systems. Penetration testing is a manual process that leverages information found in a scan, or divulged in a social engineering attack, to exploit those vulnerabilities and gain access to sensitive data. A well prepared pen testing report will be concise and contain only pertinent information.

These services are both very important, but they are not the same and should be priced accordingly.

Vulnerability Scanning

Regularly scheduled vulnerability scans help provide a baseline of normal activity for a given information security program. Scans are used to assess your company’s network security health and provide insight into risks that may directly impact your organization. Vulnerability scans are particularly useful for helping to check for proper configuration of new additions or recently updated systems.

As an automated services, vulnerability scanning relies more on the technology used than the individual deploying the scan. However, the scoping phase of the vulnerability scanning process is very important. You will want to work with a knowledgeable consultant to define the appropriate devices that will be targeted and scanned. You will also need to choose between authenticated (scanning as a user on the system) or unauthenticated (scanning as an outsider, without user account information) scans. Each has its advantages, and the one that best fits your organization will be defined in this phase.

Penetration Testing

Penetration testing is much more of an art form than vulnerability scanning. Though pen tests involve scans on targeted systems, ethical hackers take it much further by performing manual testing that provides actionable intelligence regarding exploitable security risks. Penetration testing tools can be helpful, but the truth rests in the mind of the tester, who uses knowledge of targeted systems and technical skills to find ways to exploit discovered vulnerabilities. Like any field of study, the quality of an ethical hacker can range from one end of the spectrum to the other. Fortunately, there are a couple simple ways to find the right tester for your organization.

Objective Testing

Independence is key. You should work with a company or individual that is not negatively impacted by the results of the test. Ensuring that your pen tester is objective is one of the baseline criteria for selecting an ethical hacker.

Pen Testing Certifications

You want a capable tester, right? An easy way to gain immediate insight into the ethical hacker’s capabilities is by reviewing his/her certifications. We have reviewed a number of certifications and find these to be among the best: Certified Ethical Hacker (C|EH), Offensive Security Certified Professional (OSCP), GIAC Penetration Tester (GPEN), and GIAC Web Application Penetration Tester (GWAPT). You are encouraged to perform your own research, but this is a good start.

Report Examples

It all boils down to the report. In the end, you need useful information that can help you improve your security posture. A solid report will provide information about data that was compromised and how. This information will enable your organization to fix issues before a criminal has a chance to exploit your vulnerabilities. Ask the penetration testing organization to provide you with a report sample, so you can rate the quality.

Together but Different

Vulnerability scanning and penetration testing are not one in the same, but they do complement each other very well. We encourage every organization to perform periodic vulnerability scanning and at least one yearly penetration test. These two services will provide valuable security insight and help to strengthen your security programs.

If you are considering hiring a vendor or consultant to perform security testing, drill them on the difference between vulnerability scanning and penetration testing. You might be surprised to find they don't have a clear understanding of the difference, which would be a good reason to move on to the next vendor. Also, don't be surprised when you find vastly different pricing for "testing" services. Not that the most expensive is necessarily better, but pricing may be an indication of quality. Either way, you now have the knowledge to negotiate!

If you are interested in penetration testing services or requesting a quote, click this button.

Penetration Testing Services

A thorough penetration testing campaign involves social engineering, vulnerability scanning, and the manual hacking of computer systems, networks, and web applications. Follow this infographic to learn more about the various elements of a complete penetration test.

Follow the path of a penetration test with this insightful infographic.

Social Engineering - The hacking of humans

Phishing

Phishing is the process of crafting emails that appear to be from a trusted source and typically invite the recipient to either supply confidential information or click on a malicious link or attachment.

Pretexting

Pretexting involves the use of telephone calls to either obtain information or convince the user to unintentionally perform a malicious action. This is one of the most commonly used forms of social engineering.

Dumpster Diving

If not properly discarded, sensitive information may be discovered by hackers in waste receptacles and dumpsters.

  • Printed emails, expense reports, credit card receipts, travel information, etc.
  • Network or application diagrams, device inventory with IP addressing, etc.
  • Contact lists, notebooks, binders, or other work papers containing sensitive information
Facility Access

Hackers may rely on a physical approach to complement their technical attacks.

  • Piggy backing: A hacker’s method of entering a facility with a group of employees or maintenance workers
  • Identifying unsecure areas: Hackers search for loading docks, maintenance entrances, designated smoking areas, or other locations that may not be well secured.

Vulnerability Scanning - Discover of weaknesses

Network Security Health

Vulnerability scanning is an automated process that utilizes tools to seek known security vulnerabilities in your systems. Scans are used to assess your company’s network security health and provide insight into risks that may directly impact your organization.

Penetration Testing - Manual exploitation

Proactive Security

Penetration testing is a proactive approach to discovering exploitable vulnerabilities in computer systems, networks, and web applications. Manual penetration testing goes beyond automated scanning and into complex security exploitation. Gaining a thorough understanding of vulnerabilities and risks enables the remediation of issues before an attacker is able to interrupt business operations.

Web Application Penetration Testing

Web applications often process and/or store sensitive information including credit cards, personal identifiable information (PII), and proprietary data. Applications are an integral business function for many organization, but with that functionality comes risk. Penetration testing provides visibility into the risks associated with application vulnerabilities.

Network and Infrastructure Penetration Testing

Infrastructure penetration testing identifies security weaknesses within your network, as well as the network itself. Testers search to identify flaws such as out of date software, missing patches, improper security configurations, weak communication algorithms, command injection, etc. Infrastructure penetration tests often include the testing of firewalls, switches, virtual and physical servers, and workstations.

Wireless Penetration Testing

Wireless capabilities can provide opportunities for attackers to infiltrate an organization’s secured environment - regardless of certain access and physical security controls. Wireless pen testing provides a map of access points in the wireless landscape. After gaining access to the wireless network, penetration testers attempt to exploit weaknesses in the network to gain access to privileged areas and demonstrate the potential impact of a wireless network breach.

Reports - Executive and technical

Penetration testers perform assessments, interpret the results, and provide reports for the tested organization.

Reports should function as a guide; providing valuable information that prompts action.

Get our blog posts delivered to your inbox: