Offensive cyber security (penetration testing) has increasingly become a component of both cybersecurity compliance frameworks and eligibility for cyber liability coverage with insurance carriers. There are three types of cybersecurity evaluations which are commonly used:

Network and security assessments - (such as Rapidfire Tools) Dolce Vita uses these as a general evaluation which scan thenetwork environment and provide essential guidance on problems discovered. These issues include high-level deficienciessuch as unused Active Directory accounts, possibly overprovisioned user accounts (i.e. user accounts with domain admin orroot access, etc.), unused security groups, users with significant logon failure history (possibly be targeted by and attacker), etc.

Vulnerability scanning (such as VulScan, NIST’s SCAP project, etc.) - these tools are typically run on individual target devices such as specific servers or high-risk workstations. The scans typically operate with a configuration file or settings customized to the environment and evaluate discovered operating system policy settings and compare these with NIST or other required standards. These scans typically provide a numeric percentage score based upon the comparison with the NIST “ideal”, and make it far easier to discern both risk and progress with remediation.

Penetration Testing - Dolce Vita universally scopes out penetration testing to perform internal (LAN) and external (WAN or Internet) scans. The internal scans place a secure virtual or physical Linux appliance on the network to simulate an attacker having gained a foothold inside the business network. This allows the penetration tester to safely act within an executed non-disclosure agreement and specific scope of work to safely probe and discover vulnerabilities inside the network, and carefully use specific tools to exploit these weaknesses. The pen tester documents their work and makes recommendations on best practices to remediate the problems discovered.

A key aspect of these tools is that they have to match the client requirements…a penetration test cannot be used when a pen test is the requirement and vice versa. A second critical aspect of these evaluations is that they should be planned correctly ahead of time in such a way that when it comes time to re-evaluate the tool should use the same settings such that the pre- and post-remediation evaluations are comparing “apples-to-apples”.

If this is done correctly, then tracking the various scores for each tool type should be able to demonstrate progress with hardening the environment.

Ask dvits a Question

Let’s get started!
Your first consultation is free.

Aug 8 Business Execs - do you know the difference between a network assessment, vulnerability scan, and a pen test?

Apr 3 Penetration testing (pentesting) acts to harden cybersecurity for Oklahoma HR benefits company

Aug 1 Google ads appear to push fake Google Authenticator site resulting in malware

Related Posts