Technologies like web/mobile applications, Internet, computers and other information systems have become essential for the day to day activities of people and companies. However many do not know what Cybersecurity (Information Security) is, which basically are the policies, technologies and methodologies used to protect your technology assets.
In Stolkin International, we provide services in order to protect your information systems from the risks and threats of today and the future. Some of these services are a Vulnerability Assessment and a Penetration Test, commonly known as Ethical Hacking (To learn What is a hacker? Go to this Post) Even though both are similar assessments that measure the level of security in your information systems, there are important differences and also specific situations where you apply them.
Vulnerability Assessment
Is a process designed to discover vulnerabilities (weaknesses) in the system by using automated tools and an expert that evaluates the results in order to filter the false positives that the tools might find. At the end of the assessment a report is delivered with the found vulnerabilities with their respective CVSS score (Common Vulnerability Scoring System), which defines the severity of each vulnerability found. We also deliver recommendations in order to reduce or remove the threats and risks that these vulnerabilities create.
Depending on the information system that is being evaluated, the technologies and methodologies change slightly, but in general we do the following steps:
- Reconnaissance
- Automated Testing
- Exploration and Verification
- Report
This assessment is recommended for companies and organizations that have a LOW to MEDIUM level of maturity in their information security programs. This is a good starting point for increasing the security of your organization because it is quick to perform, relatively cheap, and could find high risk vulnerabilities.
Penetration Testing (Ethical Hacking)
Is similar to a vulnerability assessment but with the main difference being that it is an exercise with very specific objectives. It has less to do about finding vulnerabilities and more focus on being a simulation of a real-world attack against the information system. It evaluates the defenses and trace paths that a real attacker might take in order to achieve its objective.
The methodology in order to do a penetration test is more elaborate and requires at least the following steps:
- Planning
- Reconnaissance
- Vulnerability Analysis
- Exploitation
- Internal Attacks
- External Attacks
- Post-Exploitation
- Report
There are 3 types of penetration tests:
- White Box: Tester has complete access and full knowledge of the information system being tested
- Gray Box: Tester has limited access and knowledge of the information system being tested
- Black Box: Tester does not have any access and only has superficial knowledge of the information system being tested.
This testing is recommended for companies and organizations that already have a HIGH level of maturity in their information security program. This means that the company runs regular vulnerability scans and are looking for a more manual test to find hidden vulnerabilities in their systems.