Best Practices and Tools for PenTest and Vulnerability Assessment

Every business IT system that connects to the Internet needs to be made secure. To verify that secure posture, vulnerability assessments are a must.

The information age has brought with it a plethora of services and conveniences. Our forefathers would never have been able to imagine the world we live in today. We have access to so much information, and so many services are available at our fingertips. Being connected to the Internet offers innumerable benefits but brings the specter of internal and external threats.

What is Vulnerability Assessment (VA)

In the context of information systems, vulnerability assessment is the process of identifying and prioritizing risks and vulnerabilities in computer systems and networks.

It uses automated tools to scan information systems to establish whether security settings are enabled and consistently applied.

Best practices for Vulnerability Assessment

The following is a list of best practices for vulnerability assessments

1. Budget: The right tools need to be purchased, and more importantly, the results of the assessment need to be acted upon. A well-defined budget will ensure that both of these aspects are taken to their logical conclusion. Anything less will not solve the problem(s).
2. Scan everything: Scan the entire information system.
3. Prioritize: Proper prioritization means higher risk vulnerabilities are more likely to be addressed
4. Scan periodically: Scanning should be done according to a pre-defined schedule - higher frequency scanning is preferable
5. Compare to earlier assessments: Determine if the vulnerability assessment effort is bearing fruit.
6. Remediation: The highest risk vulnerabilities need to be fixed - and fast.

Best tools for Vulnerability Assessment

Different types of vulnerability scanners are available, including cloud-based, host-based, network-based, and database-based scanners. The following is a list of the best tools which are available for vulnerability assessment.

• Nessus Professional: a patented scanner that can scan vulnerabilities that permit remote hacking. It offers wide range of operating systems, applications and databases.
• Netsparker: an online web application security scanner that can scan all web applications regardless of which language they are written in and for which platform they are designed
• Wapiti: a free and open source scanner for web applications
• Acunetix: an automated web application security testing tool that checks for exploitable vulnerabilities
• SolarWinds Network Configuration Manager: it can scan for misconfigured network equipment, a feature not offered by most other scanners.
• Nikto2: an open source scanner that focuses on web application security.
• OpenVAS: a powerful scanning tool that can be used for large-scale scans. Can be used to check vulnerabilities in web applications, web servers, databased, operating systems, network and virtual machines.

Vulnerability assessment by itself is not enough. Information systems also need to go through penetration testing, which is akin to crash testing for cars.

What is Penetration Testing (PenTest)

In the context of information systems, a PenTest is an authorized cyberattack on a computer system or network. PenTests are performed by ethical hackers or ethical security testers who are experts in their field. Ethical hackers use the same tools and techniques as those who might try to gain unauthorized access to your systems. 

A PenTest helps to identify both weaknesses and strengths in a system. Rather than being just a theoretical articulation of vulnerabilities, a PenTest demonstrates actual vulnerability against real threats. Therefore the results from a PenTest can be more compelling for management.

Common forms of PenTests include

• Application penetration testing: typically applies to web applications
• Infrastructure penetration testing: applies to servers, firewalls and other equipment which make up the IT infrastructure
• Mobile application penetration testing
• Wireless penetration testing.

Best practices for PenTest

Best practices for penetration testing are:

1. Planning: Every PenTest requires money and man-hours, and a well-defined budget will ensure that the necessary resources are allocated. Planning also includes defining the test scope and the approach to be used for the test.
2. Discovery: The PenTest team collects all relevant information about the system to be tested.
3. Attack: The information gathered during the discovery phase is used to validate and exploit flaws in the system. PenTests can sometimes result in undesirable consequences such as disruption of service and data loss.
4. Reporting: Includes details about the flaws and vulnerabilities discovered, exploits validated, and detailed recommendations for remediation of the issues.

Best tools for PenTest

The following is a list of the best tools which are available for penetration testing.

1. Kali Linux: is optimized for offensive penetration testing
2. nmap: is a tried and tested tool for port scanning
3. Metasploit: an open source testing framework which automates most of the testing
4. Wireshark: a real-time network protocol analyzer which can also perform protocol decryption
5. HydraBurp Suite: uses brute force to crack online passwords

Even though VAs and PenTests are essential, rather than being taken in isolation, they should be viewed as components of your overall IT policies which are defined by your Information Governance.

What is Information Governance (IG)?

According to one definition from the Information Governance Initiative, IG is “the activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.”

Two of the important components of IG are Information Security and Risk Management, which deal with controlling access to confidential information and ensuring that organizational risks are minimized.

No organization can function optimally if its information assets are threatened. Therefore periodic vulnerability assessments and PenTests need to be part of your IG policies and procedures. Pronix can not only help you with VAs and PenTests, but we can also help you develop your IG framework.

Let Pronix help

Pronix offers a wide range of IT based services including digital transformation, consulting, infrastructure management, product engineering and security. Our experts have over 10 years of experience in implementing SAP and Microsoft solutions. We also offer solutions based on cloud offerings from Microsoft, Amazon, and Google.

Contact us today to start a discussion that could be the first step towards securing your information assets and giving you the peace of mind that you deserve.