Investigations into cyberattacks that make headlines often reveal that a vulnerability was exploited by the threat actor – the vulnerability could have been a software vulnerability or a process vulnerability. Why are organisations unable to identify and eliminate such vulnerabilities if cyberattackers can find and exploit them? After all, the organisation’s IT staff are familiar with the IT infrastructure and have extensive access as well; why aren’t they able to find and fix security gaps before they can be exploited?
The answer to the above question lies in a combination of reasons:
- Identifying vulnerabilities requires skills and tools that enterprise IT teams may not possess
- The emphasis on lean teams prevents internal teams from spending time on exploratory tasks like identification of vulnerabilities when their task and priority lists are already full
- Security assessments require objective analysis of a system, and it is difficult to objectively assess a system that one is a part of
- The scope of the IT team’s activities may be restricted and not include vulnerability identification
- Conflicts of interest may arise if internal teams are required to identify weaknesses in the security measures they have recommended and implemented
All these challenges can be overcome by engaging an external team of experts to periodically conduct a VAPT exercise and assess the IT ecosystem of a business in a way that internal teams cannot.
What is VAPT?
Vulnerability Assessment and Penetration Testing (VAPT) is a systematic assessment of an organisation’s cybersecurity utilising a series of procedures and methods. This exercise can be considered an audit of an organisation’s cyber defences and, just like other audits, the output from the exercise will be the submission of a report for management’s review and action.
Vulnerability Assessment involves scanning the organisation’s IT resources for vulnerabilities, with the goal of identifying all vulnerabilities present in the system. Vulnerability Assessments are usually comprehensive and cast a wide net to uncover vulnerabilities which may even include identifying all devices present on a network as the presence of the device (which the organisation may not be aware of) may itself constitute a vulnerability. Vulnerability Assessment extends beyond technical evaluation and requires understanding of the business and the purpose behind using various devices, applications, networks, and services to determine if a vulnerability exists e.g., an open port may be identified as a vulnerability if no business process requires the port to be open; if the port needs to be open, the measures implemented to secure the port will be evaluated for vulnerabilities.
Vulnerability Assessment may be manual or automated but is more likely to be automated or rely heavily on automation to save time and expense. The Vulnerability Assessment report will provide a a list of potential vulnerabilities; critical vulnerabilities should be highlighted for immediate action. The reported vulnerabilities may include false positives (situations that technically qualify as vulnerabilities but are not practically exploitable) as elimination of false positives will require checking if each vulnerability can be exploited, which is not a part of the Vulnerability Assessment exercise. Listing a few false positives can be considered an acceptable outcome of the exercise as relaxing the definition of vulnerabilities to eliminate false positives may result in false negatives – unidentified vulnerabilities that may be discovered and exploited by a threat actor.
Penetration Testing is an ethical hacking exercise where specialists attempt to exploit an identified vulnerability. Unlike the Vulnerability Assessment, the goal of Penetration Testing isn’t the identification of all vulnerabilities but the evaluation of a vulnerability to see if it can a) be exploited by a threat actor, b) the extent to which it can be exploited, and c) the technical impact on the organisation if successful exploitation is possible.
Penetration Testing may involve both automated and manual processes but effective Penetration Testing will rely more on manual processes as the tester will attempt to mimic the approach and persistence of a threat actor to determine if a vulnerability can be exploited by a determined adversary. Penetration Testing is, therefore, a resource-intensive exercise which takes longer to conclude and is usually not as exhaustive as Vulnerability Assessment. It should be noted that it may not be possible to perform a Penetration Test on some vulnerabilities as destructive testing may be the only way to examine the vulnerability, which would not be acceptable to the organisation. The enterprise should consider such vulnerabilities listed in the Vulnerable Assessment report as exploitable and proceed accordingly.
The combination of Vulnerability Assessment, which lists all potential vulnerabilities, and Penetration Testing, which determines if vulnerabilities can be exploited, provides actionable insight into the state of enterprise cyber defences.
Does VAPT Provide Value Beyond Internal Cybersecurity Evaluation?
All VAPT exercises focus on internal cybersecurity but they may be mandated by regulatory agencies as part of a business’s compliance obligations e.g., the Securities and Exchange Board of India (SEBI) requires Mutual Funds and Asset Management Companies to conduct VAPT once in a financial year (or twice a year if they are classified as a protected system) and submit the report within a month.
How Should VAPT Providers be Selected?
Effective VAPT requires a combination of tools, skills, knowledge, and experience. The tools are widely available and the other factors are human attributes. Therefore, the VAPT provider should be selected based on the capabilities and expertise of the provider’s team.
How Often Should VAPT be Conducted?
Where mandated, VAPT will need to be conducted as often as stipulated by the regulator (as illustrated above by the discussion on SEBI’s VAPT requirements). Beyond compliance, the frequency of VAPT exercises should be decided in consultation with the VAPT provider based on the organisation’s size, industry, expansion plans, and other relevant factors. Businesses that are investing extensively in digital transformation should conduct VAPT frequently and especially after each digital initiative is implemented to prevent threat actors capitalising on the opportunities provided by the rollout of new digital infrastructure.
K7 Security provides world-class enterprise cybersecurity products and services backed by over 30 years’ expertise in cybersecurity. Contact Us to learn more about how we can help you protect your IT infrastructure and satisfy your compliance obligations.