Vulnerability Assessment and Penetration Testing (VAPT) helps organisations identify weaknesses in their cyber defences, specifically identifying all vulnerabilities that exist and evaluating the extent to which a vulnerability can be exploited. We have previously provided an in-depth explanation on VAPT here. Once you decide that your organisation must undertake a VAPT exercise, the next obvious step is identifying a suitable VAPT provider as most enterprises will not be able to perform VAPT with in-house resources. This blog will examine the factors you must consider when shortlisting and choosing a VAPT provider for your business.
Factors to Consider when Choosing a VAPT Provider
When choosing a VAPT provider, the organisation must first define why the VAPT exercise is necessary. This usually revolves around
- Past or Anticipated Threats
Compliance may be external or internal.
External compliance may require compliance with regulations or contractual obligations.
Regulations, such as the Abu Dhabi – Healthcare Information and Cyber Security Standard (ADHICS) or the Security and Exchange Board of India’s cybersecurity framework for mutual funds, may mandate conducting VAPT to protect customers or maintain national security. The organisation may also choose to comply with ISO standards to improve customer confidence, gain eligibility to bid for contracts, and build its brand.
The organisation may have signed a contract, as a supplier, that requires VAPT to be periodically conducted to strengthen their customer’s digital supply chain or for the customer to meet their compliance obligations.
Internal compliance requires ascertaining if the cybersecurity standards maintained by the organisation, or the branch that is being assessed, comply with the standards specified in the business’s cybersecurity policy. If the cybersecurity policy is framed with reference to contractual obligations or regulations, the VAPT activity should be considered an exercise that assesses external compliance.
Past or Anticipated Threats
A business may choose to conduct VAPT due to cyberthreats experienced in the past or expected to occur in future.
A past threat is a (usually) successful cyberattack that has occurred and has had significant negative consequences, such as theft of the organisation’s intellectual property or funds. The attack may have originated externally or internally.
External attacks are carried out by threat actors unconnected to the organisation. The organisation may be the target of the attack, or suffer disruption when the attack is aimed generally at organisations in the country in which it operates or spreads beyond its intended target e.g., the organisation’s customer may have been the intended target of the attack and the malware used may have been transmitted to the organisation along with other communication.
Internal attacks are attacks that are launched by a stakeholder, such as a disgruntled or greedy employee. Unlike external attackers, internal threat actors are familiar with the organisation’s IT infrastructure, cyber defences, and weaknesses, and have access to internal IT resources, making them difficult to defend against.
Anticipated threats are cyberattacks that an organisation expects to face based on industry trends (e.g., a hospital may choose to conduct a VAPT exercise because many hospitals in the region have been targeted by ransomware groups) or known internal weaknesses (such as the use of legacy equipment that no longer receive security updates from their vendors).
Choosing a VAPT Provider
Once the organisation determines why VAPT is required, it becomes easier to list the credentials the VAPT provider must possess:
- VAPT Expertise
- Familiarity with Regulations
- Experience with Specific Threats
- Familiarity with the Industry
- Customisation of Services
- Comprehensive Evaluation Methodology
- Quality of Reports
The forensic investigative capability of the provider is the most important factor that must be considered when selecting the provider. This expertise depends on a combination of tools, skills, knowledge, and experience. The tools are easily available and therefore the provider’s team should be assessed for their knowledge, skills, and experience in conducting VAPT assignments which can be determined by the number of years of their experience, number of assignments completed, complexity of assignments, knowledge of the Tactics, Techniques, and Procedures (TTPs) used by threat actors, and clients served.
Familiarity with Regulations
When the organisation is conducting a VAPT exercise to comply with specific regulations, the provider must have familiarity with those regulations. When evaluating the provider, request information on the number and identity of organisations, with similar regulatory obligations, for which the provider has completed VAPT assignments.
If the VAPT exercise is conducted to comply with internal standards or contractual obligations that are not related to regulations, communicate the required standards to the prospective VAPT provider and ask them to elaborate on their familiarity with the technology, protocols, and challenges involved as well as assignments with organisations that have had similar standards.
Experience with Specific Threats
Organisations that are concerned about specific threats, such as internal attacks or vulnerabilities in legacy equipment, should ask the prospective VAPT provider to describe their approach towards evaluating the organisation’s defences with respect to the specified threats. The VAPT assignment may not be restricted to these threats but the provider should be able to convince the organisation that they are familiar with the technical aspects of the threat as well as attacker motivations, have gained experience in conducting VAPT for that threat with other organisations, and have developed a field-tested methodology to conduct a comprehensive evaluation of defences against the threat.
Familiarity with the Industry
The VAPT provider should be evaluated for familiarity with the industry in which the organisation operates as the provider should be able to focus on industry-specific cybersecurity challenges and weaknesses e.g., the education sector has to accommodate a floating population of students who use a wide variety of devices. Industry challenges may also be linked to the region and therefore the provider’s regional expertise should also be ascertained.
Customisation of Services
Every organisation is different and represents a unique combination of infrastructure, policies, processes, and people. The VAPT provider should not follow a one-size-fits-all approach and should tailor their assessment to suit the business. The organisation can evaluate the willingness of the VAPT provider to adapt to the organisation’s needs by analysing the questions asked by the provider when discussing the assignment, which should demonstrate in-depth interest in how the business operates.
Comprehensive Evaluation Methodology
The VAPT provider should not limit themselves to a superficial software-based investigation and should, instead, conduct a comprehensive evaluation of the digital infrastructure of the organisation which may include, if required, an in-person assessment of the physical security of IT assets.
Quality of Reports
A critical outcome of the VAPT exercise is an insightful and actionable report from the VAPT provider, which should include a list of missing patches and insecure configurations, sample exploits of dangerous vulnerabilities, and guidance on addressing vulnerabilities. A sample report can be requested from the provider to assess the quality of their reports.
K7 Security’s VAPT services are delivered by cybersecurity specialists who combine extensive expertise and cutting-edge tools to perform a comprehensive evaluation of enterprise cyber defences and provide an ISO/IEC 27001 compliant report. Contact Us for more information on how our VAPT services can help you secure your operations and improve compliance.