The only way to be secure - find the vulnerabilities in your infrastructure before someone else does

19 Dec 2023, by Slade Baylis

With the other article this month highlighting the cyber threats to watch out for in 2024 - the next question arising is how do you go about finding out if your systems are vulnerable?  If you don’t know how to tell if your systems are open to attack, it makes the job of protecting them much harder.  With this being the case, we thought we’d go into detail about the different methods used for analysing the security posture of websites, applications, and infrastructure.

At the high-end, full penetration testing is king!  Through this service, cyber-security experts set to work in trying to break into an application and document their findings.  However, even though it’s comprehensive, it’s usually an extremely expensive process.  The good news is that there are more “entry-level” scanning services at the other end of the cost-spectrum that can help with catching more of the common security issues.

In this article we’ll be going into detail about both of these options, explaining what’s involved with penetration testing and vulnerability scanning, as well as in what circumstances one may be preferable over the other.

What are vulnerabilities?

First, before we can go into details about what “vulnerabilities” are, we’ll need to explain what a "vulnerability” is.  It may seem obvious, but a vulnerability is simply an issue with your service that leaves it exposed to the possibility of being attacked or harmed.  And the form which that vulnerability takes, can actually affect both how you can detect it and what methods you can use to fix it.

For example, with websites and applications being composed of many moving pieces which often hang together in a myriad of ways, discovering vulnerabilities is often a highly manual process.  It most cases, probing and discovering vulnerabilities that may have been overlooked by web developers and third-party application providers is something that needs to be completed by seasoned security researchers.  Basic website and application code vulnerabilities can be detected by automated scans, but that’s the exception rather than the rule.

At the simpler end of the scale - such as issues with infrastructure misconfiguration, unnecessarily available services, and out-of-date software – automated scanning tools are much more useful for catching issues early and allowing you to fix them.  To that end, they’re recommended to be used as a permanent fixture within your infrastructure, continually scanning your systems to make sure new vulnerabilities don’t get introduced over time, or are patched when they are found to be there.

What is penetration testing?

As mentioned, finding security issues and potential attack vectors will look different depending on the type of services you are looking to protect and what your budget looks like.  At the high (and more costly) end, analysing how secure your website, application, or infrastructure is – can be achieved through a service called "penetration testing".  This is a service wherein cyber-security experts set to work in attempting to break in themselves to find out whether it’s possible or not. 

It’s a realm where the lines between “hacker” and “security researcher” are blurred. This is because in order to be able to effectively simulate a cyber-attack, the people performing the attack need to possess the same skillsets as those they’re attempting to protect you from.  The common term for this type of security researcher is a “white hat hacker” (often just referred to as a “white hat”) – who are ethical security hackers aiming to identify any vulnerabilities or security issues that a system has with the full permission from the owner/s.  This is juxtaposed against “black hat hackers” (or “black hats”) - who are the more commonly-known type of hacker that are doing the same, but for malicious reasons instead. 

Whilst there are many different types of penetration testing, they are generally categorised by their target.  For example, most fall into these four categories: Application Penetration Testing; External Network Penetration Testing; Internal Network Penetration; and Physical Security Testing & Social Engineering.  Each of these target a different aspect of your infrastructure, covering both your applications, the systems they run on, and the people that run them.

At a high-level, here is a break-down of each of these categories:

• Application Penetration Testing – Simulating an attack against applications, such as mobile apps, web applications, API endpoints, or thick-client applications.
• External Network Penetration Testing – Simulating an attack against any assets that are publicly facing, such as internet-facing applications, websites, firewalls and WAFs, and email or DNS servers.
• Internal Network Penetration Testing – Simulating an attack by someone with internal access to systems, such as a malicious insider or someone who has stolen access details of an employee. 
• Physical Security Testing & Social Engineering – Simulating an attack by attempting to identify and bypass physical security controls, gain access to systems and data physically, as well as use common social engineering tactics to have staff provide unauthorised access to systems, locations, or confidential information.

In addition to being categorised by the services that they’re targeting and testing, they are also broken down by the level of cooperation that is exercised by each “team”.  In penetration testing, the team performing the tests and attempting to gauge an organisation’s security posture is often referred to as the “Red Team”, with the staff of the organisation and people attempting to stop the threat referred to as the “Blue Team”.  With regards to the tests themselves, they can either be performed as a one-sided attack which is referred to as “Red Teaming”, or they can be performed as a joint collaboration, referred to as a “Purple Teaming” whereby both sides work together to identify weaknesses in processes or systems.

Each of these tests are the best ways to identify and improve systems and processes.  However, as mentioned previously, they are often an expensive ordeal – usually starting at the low tens of thousands and only going up from there!  The good news is there are ways to catch more common vulnerabilities without having to empty your wallet.

What is vulnerability scanning?

This is where vulnerability scanning enters the field - as it’s a service that can be used to catch common infrastructure misconfiguration issues, out-of-date or vulnerable software, and even common exploitable website coding issues - all at a more affordable price point.

Overall, the aim of any vulnerability scanning service is to detect and report on known vulnerabilities that your systems are susceptible to, as well as to provide guidance on different ways you can reduce your overall “attack surface”.  The “attack surface” for an organisation includes all the different points where an attacker can attempt to gain unauthorised access to a system. 

On the known vulnerabilities side, these automated tools use CVEs (Common Vulnerabilities and Exposures), which are publicly reported lists of known security issues, in order to detect whether the software you are running is vulnerable to these exploits.  On the attack surface side, these scans will network map; port scan to identify running services; as well as classify any weaknesses that they find. 

In addition to identifying issues, most vulnerability scanning tools will also provide added context, such as:

• Severity – This is a high-level categorisation of the detected vulnerabilities by their severity – this allows organisations to prioritise which issues to fix first based on their relative threat.
• Threat – This will include more details about the exploit and how specifically it is exploitable by a malicious actor, to help provide greater understanding about the vulnerability at a technical level.
• Impact – This will include details on how that exploit can be used to affect the systems it is present on or the people that use that system, so that organisations can know the risks of remaining vulnerable.
• Solution – This will detail different ways the detected vulnerability can be patched or fixed, in sufficient detail so that a technician can set to work in fixing the issue.

If these sorts of vulnerability scanning services are used as recommended – which is to use them as a regular recurring scan of your systems, rather than a once-off scan – then this ensures that issues are detected as soon as they’re introduced and allows for organisations to immediately work on fixing them.

Which method should you use to access your own security posture?

Ultimately, the method you should choose to use for accessing the security of your systems will depend on several factors including the sensitivity of the data you are storing; the risk to your organisation and to your customers should there ever be a breach; and your budget. 

For large organisations with budgets big enough to afford the cost, both penetration testing and vulnerability scanning should be used in parallel to ensure the security of infrastructure and applications.  On the smaller side - at least for those organisations running their own infrastructure - basic vulnerability scanning services are recommended to be run continually to ensure that systems are secure. 

By looking at vulnerability scanning as a continual service - rather than as a once-off scan – you can be re-assured that they’ll remain secure over time!

Looking to assess your own security posture?

If you’re interested in performing a vulnerability scan of your own systems, in penetration testing, or even just after a basic review of your cyber-security posture, just let us know!  We’re more than happy to help you assess your systems specifically, provide details on what can be improved, as well as answer any questions that you have.

For more information, you can email us at sales@micron21.com or call us on 1300 769 972 (Option #1).