Assessment and Testing Approaches for Cybersecurity

Warning:

• InfoSec community members tend to be passionate and opinionated about these topics. Certain things might have been missed, misclassified, or misspoken that would offend some in the industry and solicit strong reactions.
• This is not a Ph.D. dissertation paper, it is a blog post. We hope you find it useful, and that there is a small piece of information that helps you improve your security program.
• These terms and concepts were driven by numerous articles and whitepapers, presentations (lately more online than in person), and the community over 20+ years.

With the niceties out of the way, let’s jump right into it.

Performing regular assessments and testing of your security and risk posture is a common practice in our industry. It helps us understand our current posture, identify risks, prioritize projects, and demonstrate compliance with regulations and standards. It is also a great way to measure the effectiveness of our efforts.

Otherwise, how would we know at the end of the year without a breach or incident, if we got lucky or if our program was working effectively at stopping attacks?

In summary, it is a good idea to have periodic assessments and testing. The reasons and benefits include:

• It is a good tool to measure the effectiveness of your security program
• It is a good way to find holes before it is exploited by an attacker
• It is a requirement of security compliance (i.e. PCI-DSS Requirement 11 – Regularly test security systems and processes)
• It is a good way to identify and fix issues before auditors or regulators come onsite

Assessments and Testing Types

At a high level, assessment, and testing types can be grouped into three:

Assessment (yellow post-it)

Security and risk assessments are performed typically following a standard (like ISO27000, NIST CSF, PCI, etc.) and primarily focus on a review of the organization, policies, procedures, and practices. There is more focus on having documented practices and evidence to demonstrate your controls are in place for a period of time. Primary assessment tools are interviews with management, review of documentation, and inspection of systems and evidence.

Depending on the assessors, some may also include technical testing of controls.

• Enterprise Risk Assessment
• Cyber Risk Assessment
• Compliance Assessment
• IT General Controls Assessment
• Application Threat Modeling

Testing (red post-it)

Security testing approaches such as Penetration Testing (PenTest) and Red Teaming, use a combination of testing with scanning and automated tools and manual attack and exploitation techniques to emulate real-world risks and attach scenarios to test the security defenses of a system or organization. These exercises require a team with in-depth expertise across a wide range of technologies and security testing tools and methodologies.

 Although there are well-established standards to perform these projects (like OWASP WTG for Application PenTesting), these teams augment these standards with ongoing research on real-world tools, tactics, and procedures.

• Enterprise PenTesting
• Infrastructure PenTesting
• Application PenTesting
• Red Teaming / Threat Hunting

Also see: A Closer Look at OWASP Top 10 Security Risks & Vulnerabilities

Scanning (blue post-it)

Security and vulnerability scanning is an effective way to identify vulnerabilities and security weaknesses on an ongoing and frequent basis. Over time the scanning tools are becoming more sophisticated with improved accuracy, low false positives, and enterprise capabilities (like automation, integration, reporting, etc.). Although they are not a substitute for manual testing, you can use scanning tools as part of your change management and DevOps processes, to identify and fix security issues early in the process.

We also see the application of modern technologies (like ML/AI, Data Analytics) that improve these tools and enable real-time monitoring and response capabilities.

• OSINT and Threat Monitoring
• Network Vulnerability Scanning
• Application Vulnerability Scanning (DAST)
• Application Source Code Scanning (SAST)

In analyzing a space like this, we thought using a map would be a good way to demonstrate the differences, use cases, benefits, etc. of these approaches. After some research and brainstorming, we came up with six different dimensions. Although initially, a 6-dimensional graph sounded interesting, we decided on keeping it simple and grouped some of these dimensions based on how correlated they are.

This is what we ended up with in our first version of this map. In future blog posts, we will refine and correct this as we also do a more deep-dive into the specific approaches.

This article may interest you: What is a Web Application Firewall?

Conclusion

Cybersecurity assessments and testing are crucial components of any effective security strategy. By regularly evaluating and testing our security and risk posture, we can identify weaknesses and prioritize projects to improve our defenses. From assessments to testing and scanning, there is a wide range of approaches available to organizations looking to improve their security program.

While each approach has its strengths and weaknesses, they are all important pieces of the puzzle when it comes to building a robust cybersecurity program. At the end of the day, it is up to us to remain vigilant and proactive in our efforts to protect our systems and data from the ever-evolving threat landscape.

We hope you enjoyed our post on assessment and testing approaches for cybersecurity. Check out our Vulnerability Management and Penetration Testing services to stay secure!