- InfoSec community members tend to be passionate and opinionated about these topics. Certain things might have been missed, misclassified, or misspoken that would offend some in the industry and solicit strong reactions.
- This is not a Ph.D. dissertation paper; it is a blog post. We hope you find it useful, and there is a small piece of information that helps you improve your security program.
- These terms and concepts were driven from numerous articles and whitepapers, presentations (lately more online than in person), and the community over 20+ years.
With the niceties out of the way, lets jump right into it. Performing regular assessments and testing of your security and risk posture is a common practice in our industry. It helps us understand our current posture, identify risks, prioritize projects, and demonstrate compliance with regulations and standards. It is also a great way to measure effectiveness of our efforts. Otherwise, how would we know at the end of the year without a breach or incident; if we got lucky or our program was working effectively at stopping attacks?
In summary, it is a good idea to have periodic assessments and testing. The reasons and benefits include:
- It is a good tool to measure the effectiveness of your security program
- It is a good way to find holes before it is exploited by an attacker
- It is a requirement of security compliance (i.e. PCI-DSS Requirement 11 – Regularly test security systems and processes)
At a high level, assessment and testing types can be grouped into three:
Assessment (yellow post-it) – Security and risk assessments are performed typically following a standard (like ISO27000, NIST CSF, PCI, etc.) and primarily focus on a review of the organization, policies, procedures, and practices. There is more focus on having documented practices and evidence to demonstrate your controls are in place for a period of time. Primary assessment tools are interviews with management, review of documentation, inspection of systems and evidence. Depending on the assessors, some may also include technical testing of controls.
- Enterprise Risk Assessment
- Cyber Risk Assessment
- Compliance Assessment
- IT General Controls Assessment
- Application Threat Modeling
Security testing approaches; such as Penetration Testing (PenTest) and Red Teaming; use a combination of testing with scanning and automated tools and manual attack and exploitation techniques to emulate real world risks and attach scenarios to test the security defenses of a system or organization. These exercises require a team with in-depth expertise across a wide range of technologies and security testing tools and methodologies. Although there are well established standards to perform these projects (like OWASP WTG for Application PenTesting), these teams augment these standards with ongoing research on real-world tools, tactics and procedures.
- Enterprise PenTesting
- Infrastructure PenTesting
- Application PenTesting
- Red Teaming / Threat Hunting
Security and vulnerability scanning is an effective way to identify vulnerabilities and security weaknesses on an ongoing and frequent basis. Over time the scanning tools are becoming more sophisticated with improved accuracy, low false-positives, and enterprise capabilities (like automation, integration, reporting, etc.). Although they are not a substitute for manual testing, you can use scanning tools as part of your change management and DevOps processes, to identify and fix security issues early in the process. We also see the application of modern technologies (like ML/AI, Data Analytics) that improve these tools and enable real-time monitoring and response capabilities.
- OSINT and Threat Monitoring
- Network Vulnerability Scanning
- Application Vulnerability Scanning (DAST)
- Application Source Code Scanning (SAST)
In analyzing a space like this, we thought using a map would be a good way to demonstrate the differences, use cases, benefits, etc. of these approaches. After some research and brainstorming, we came up with six different dimensions. Although initially a 6-dimenional graph sounded interesting, we decided on keeping it simple and grouped some of these dimensions based on how correlated they are.
This is what we ended up with in our first version of this map. In future blog posts, we will refine and correct this as we also do a more deep-dive to the specific approaches.