{"id":36262,"date":"2020-07-15T08:17:30","date_gmt":"2020-07-15T12:17:30","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&p=36262"},"modified":"2020-07-15T08:17:30","modified_gmt":"2020-07-15T12:17:30","slug":"right-it-testing-solution","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/right-it-testing-solution\/36262\/","title":{"rendered":"Four types of security testing and when to use them"},"content":{"rendered":"

When it\u2019s time to \u2018security test\u2019 your infrastructure, what should you do? Security testing can mean all kinds of things, and it\u2019s not always obvious what\u2019s the right choice, and when. Here I\u2019ll summarize what I think are the four main types of security testing, when to use each and pitfalls to watch.<\/p>\n

1.\u00a0 Vulnerability scanning<\/h2>\n

What is vulnerability scanning?<\/h3>\n

Vulnerability scanning means running automated software that looks for common vulnerabilities in your systems, like a web server that hasn\u2019t been patched or misconfigured cloud storage, exposing customer data. Ideally, you give the software a list of targets, set it in motion and wait to get a report listing vulnerabilities and remediation advice. It\u2019s not vulnerability scanning that improves your security, but acting on the results.<\/p>\n

Depending on the scanning software, it may just check your software against lists of known issues, or do something more complex, like a brute force attack<\/a>: Guessing user credentials and passwords to see if they\u2019re secure.<\/p>\n

When should you use it?<\/h3>\n

Use vulnerability scanning on everything you have that faces the internet (endpoints), like corporate web servers, virtual private network (VPN) endpoints and office internet connections. You can also run vulnerability scans sporadically or scheduled on internal network systems, or as part of your software development lifecycle.<\/p>\n

When shouldn\u2019t you use it?<\/h3>\n

Vulnerability scanning isn\u2019t helpful when you want to know how a human attacker would see your infrastructure.<\/p>\n

What are the advantages and disadvantages?<\/h3>\n

You can run vulnerability scanning yourself, which puts you in control. Or you can have a third party run it for you.<\/p>\n

While vulnerability scanning is often seen as the \u201cpoor cousin\u201d of security testing, I don\u2019t agree. It quickly highlights problems you might have missed, like a temporary internet-facing website the development team forgot to take down or the internal user account with an easy password. It helps you tidy up low-level issues at little cost.<\/p>\n

Companies are most often exploited not by advanced attacks, but by the low-hanging fruit.<\/p>\n

Chris Wallis, Founder, vulnerability-scanning company Intruder<\/p><\/cite><\/blockquote>\n

2.\u00a0 Penetration testing<\/h2>\n

What is penetration testing?<\/h3>\n

Penetration testing, or pen testing, can mean different things to different people. I define it as combining automated and manual techniques to look for weaknesses in the target\u2019s security posture<\/a>. A penetration testing team emulates the methods of genuine attackers. How close it is to a real attack depends on the team. They may use the kinds of tools attackers use, or just their techniques, like trying SQL injection<\/a> on a web interface, when another method might work better.<\/p>\n

With help from the system administrators, developers and project team, a penetration testing team can do a more cost-effective and useful audit. They shouldn\u2019t be wasting time evading intrusion detection systems or trying not to get noticed by your Security Operations Center<\/a>. If that\u2019s the kind of security test you want, see the section below on red team exercises.<\/p>\n

When should you use it?<\/h3>\n

A pen test should have a tight scope around a new installation, project or area of concern. It must concentrate on the most likely source of security issues for your organization.<\/p>\n

When shouldn\u2019t you use it?<\/h3>\n

Don\u2019t use a penetration test to see how your security teams and Security Operations Center would react to a real cyberattack. A penetration test is overt: The system administrators should know it\u2019s happening. See it as an \u201caggressive technical audit\u201d rather than emulating how attackers think and work.<\/p>\n

What are the advantages and disadvantages?<\/h3>\n

You\u2019ll get an attacker\u2019s mindset to look at your project, program or installation. It\u2019s useful to have someone on your side who sees what you\u2019ve built as a set of weaknesses and targets. And it\u2019s easy to schedule and assign budget for, compared with red team exercises.<\/p>\n

Results may not be consistent between one pen test and the next. This isn\u2019t necessarily a bad thing. If you repeat it or have several pen testers, you may find more issues.<\/p>\n

Pen testing is poorly defined. There will be penetration testers reading this who define the term differently to me. Do some work before you pen test to make sure there\u2019s a shared understanding.
\n\"\"<\/p>\n

3.\u00a0 Red team testing<\/h2>\n

What is red team testing?<\/h3>\n

Red teaming, also sometimes called ethical hacking<\/a>, is a simulation to test how well your people and technology would respond to an adversary\u2019s attack. It\u2019s hard to find the line between penetration testing and red teaming. I define a red team exercise as an engagement with much wider scope than a penetration test. The scope of a red team exercise could be your whole organization.<\/p>\n

It\u2019s up to the red team how they attack. Agree strict rules of engagement in advance. Red teamers will stay within the law, but you should also address ethics, staff relations and cultural norms before you start.<\/p>\n

When should you use it?<\/h3>\n

Use a red team exercise when you want to see, as closely as possible, how real attackers would act against you.<\/p>\n

It\u2019s more of an adversarial simulation than pen testing. A penetration tester finds as many weaknesses as possible in the time available to help defenders see issues. A red teamer will only find and exploit any vulnerability they need to, to achieve a goal. If they can get into your internal network through a poorly configured VPN but could\u2019ve achieved the same through poor wireless security at your remote offices, you may not discover both issues.<\/p>\n

\u201cPurple teaming\u201d can make a red team exercise more useful. It\u2019s when you have an attacking red team and a defending \u201cblue\u201d team.<\/p>\n

As a security tester, you\u2019re a sparring partner: You\u2019re not there to win, but to make your opponent better.<\/p>\n<\/blockquote>\n

When shouldn\u2019t you use it?<\/h3>\n

Only hold a red team exercise when you\u2019ve done vulnerability scans and penetration tests, and fixed problems found. Otherwise, the attackers\u2019 level of expertise will probably overwhelm the organization\u2019s defenses, giving no useful insight.<\/p>\n

What are the advantages and disadvantages?<\/h3>\n

A significant part of a red team exercise is testing defenders\u2019 detection abilities. Attackers must be covert, careful and evasive, like a genuine attacker. There must also be clear paths for contact and escalation. You don\u2019t want the Security Operations Center concentrating on the red teamers, but missing a genuine compromise.<\/p>\n

If you need to show stakeholders the breadth of issues to get resources to fix them, a red team exercise tells a compelling story. It will build a picture of how real attackers could work their way through your infrastructure.<\/p>\n

A red team exercise is not the same as adversarial analysis: Examining a company\u2019s way of working or project plan for issues without attack. For a deeper look at adversarial analysis, see the work of Mark Mateski of Red team journal<\/a> or Bryce Hoffman of Red team thinking<\/a>.<\/p>\n

A downside of a red team exercise is cost. The people involved are specialists with skills and tools that need constant maintenance. They use methodology that encourages slow, careful work. All this affects the day rate.<\/p>\n

4.\u00a0 Bug bounty programs<\/h2>\n

What are bug bounty programs?<\/h3>\n

Bug bounty programs see companies offering a reward to those who report specific vulnerabilities in parts of its infrastructure within a given scope. The programs may be by invitation only or open to anyone.<\/p>\n

When should you use it?<\/h3>\n

I would only run a bug bounty program after running and responding to the results of at least two types of tests already mentioned. Get an expert to determine the scope and rewards, and how to run it.<\/p>\n

When shouldn\u2019t you use it?<\/h3>\n

A bug bounty program might distract staff and give you more reports than you can use if your organization is still working out how to deal with penetration tests and red team exercises.<\/p>\n

What are the advantages and disadvantages?<\/h3>\n

All other testing methods are paid on effort rather than results.<\/p>\n

Your organization may be mature enough that other options aren\u2019t what you need. Bug hunters follow some of the same steps as an attacker, so their judgment on what\u2019s worth attacking and how may be close to a real attack.<\/p>\n

Running a bug bounty program makes it clear to anyone who discovers a security issue with your organization that you\u2019re approachable on security issues.<\/p>\n

As bug bounty hunters rarely share details of successful attacks until they\u2019ve got their bounty, your company must do the work of filtering out duplicate or irrelevant reports.<\/p>\n

Now when you\u2019re asked about security testing and what your organization should be doing, you can start the conversation informed. Stay aware of the flexible and overlapping definitions out there \u2013 always ask what someone means by a term they\u2019re using before you devote budget or schedule testing.<\/p>\n","protected":false},"excerpt":{"rendered":"

You know you need to security test your infrastructure, but how will you do it? Here’s how to know what kind of testing your organization needs.<\/p>\n","protected":false},"author":2542,"featured_media":36294,"template":"","coauthors":[3588],"class_list":{"0":"post-36262","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-cybersecurity","7":"emagazine-category-enterprise-cybersecurity","8":"emagazine-tag-data-security","9":"emagazine-tag-testing"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/right-it-testing-solution\/36262\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/36262","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2542"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/36294"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=36262"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=36262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}