TRENDING
Alexander Zaytsev , Head , Security
Assessment , Kaspersky
Almost any security service provider on the market is ready to offer some form of “ red team ” service , because more and more regulations demand it , resulting in more and more requests for proposals ( RFPs ), which push requests for “ new services ”.
Closer communication with customers reveals that in around 80 % of all the requests we receive for red teaming , the company is actually looking for good , old fashioned penetration testing .
This discrepancy is perfectly understandable , because the “ penetration testing ” term is currently just as muddied by marketing as “ red teaming ”. The only difference being that you could easily end up getting a vulnerability scan labelled “ penetration testing ” and companies will often overlook this option in favour of an “ upper tier ” service .
service of the three , is an automated or semiautomated approach to the identification of security issues . Its goal is to discover as many publicly-known vulnerabilities as possible among a strictly defined set of systems , ideally minimising false positive results . The methodology is quite simple , and boils down to pattern matching data received from a network service against a database of known security issues . Such a straight-forward approach allows for a great level of automation , thus gaining the advantage of speed and repeatability . Disadvantages on the other hand are quite obvious too : in the end , all you get from a VA is a list of existing well-known vulnerabilities .
We ’ re not stating that VA is not the right service for you ; it is a crucial part of the vulnerability management program in any security-mature organisation , alongside asset inventory and change management processes .
That being said , we consider that the key steps to fulfilling your own expectations from any kind of security assessment service are : taking the time to formulate your needs and ensuring that the vendor understands how to satisfy them with their offering .
To once again demonstrate how vulnerability assessment , penetration testing and red teaming differ , we ’ ll consider three basic criteria – the goal of the service , its scope and methodology .
Keep in mind that VA has nothing to do with any kind of simulation of adversarial behaviour . So , if a service provider you ’ ve enlisted for penetration testing or red teaming engagement mostly relies on an automated vulnerability scanning solution in the course of their work – they are not doing it right .
Now with vulnerability assessment addressed , let ’ s take a closer look at penetration testing before digging into red teaming .
What ’ s out there ?
Vulnerability assessment ( VA ): The most common
As the name implies , penetration testing ( pentest ) aims to demonstrate how a security boundary could be breached , allowing a threat actor to get from point A to point B inside an organisation ’ s network . Unlike a
26 INTELLIGENTCIO MIDDLE EAST www . intelligentcio . com