Blog SecurityRI

Penetration Testing vs. Vulnerability Assessment: What’s the Difference?

February 27, 2018

Penetration Testing and Vulnerability Scanning are often confused as the same service. The problem is, they have their differences and are not the same. Let me explain how they differ:

Vulnerability Assessment

Vulnerability Assessment is an inspection of the potential points of exploit on a computer or network to identify security holes.

A vulnerability scan detects and classifies system weaknesses in computers, networks, communications equipment and predicts the effectiveness of countermeasures. A scan may be performed by an organization’s IT department or a security service provider, possibly as a condition imposed by some authority. The vulnerability scan involves the use of automated network security scanning tools, whose results are listed in the report. As findings reflected in a vulnerability assessment report are not backed by an attempt to exploit them, some of them may be false positives.

Client Note: A solid vulnerability assessment report should contain the title, the description and the severity (high, medium or low) of each vulnerability uncovered. A mash of critical and non-critical security weaknesses would be quite puzzling, as you wouldn’t know which vulnerability to patch first.

Penetration Testing

In contrast to vulnerability scanning, penetration testing involves identifying vulnerabilities in a particular network and attempting to exploit them to penetrate into the system.

The purpose of penetration testing is to determine whether a detected vulnerability is genuine. If a pentester manages to exploit a potentially vulnerable spot, he or she considers it genuine and reflects it in the report. The report can also show unexploitable vulnerabilities as theoretical findings. Don’t confuse these theoretical findings with false-positives. Theoretical vulnerabilities threaten the network but it’s a bad idea to exploit them as this will lead to DoS.

Client Note: At the initial stage, a reputable provider of penetration testing services will use automated tools sparingly. Practice shows that a comprehensive penetration testing should be mostly manual.

During the exploiting stage, a pen-tester tries to harm the customer’s network (takes down a server or installs malicious software on it, gets unauthorized access to the system, etc.). Vulnerability assessment doesn’t include this step.

Penetration testing vs. vulnerability assessment at a glance

Which lays bare the differences between the two techniques:

How often to perform the service?

Vulnerability assessment: Once a month. Plus an additional testing after changes in the network.

Penetration testing: Once a year, at the least

What’s in the report?

Vulnerability assessment: A comprehensive list of vulnerabilities, which may include false positives.

Penetration testing: A “call to action” document. It list the vulnerabilities that were successfully exploited.

Who performs the service?

Vulnerability assessment: In-house security staff or a third-party vendor.

Penetration testing: A provider of penetration testing services.

What’s the value of the service?

Vulnerability assessment: Uncovers a wide range of possible vulnerabilities

Penetration testing: Shows exploitable vulnerabilities.

The choice of vendor

The differences between vulnerability assessment and penetration testing show that both information security services are worth taking on board to keep your network & computer infrastructure safe. Vulnerability assessment is good for security maintenance, while penetration testing discovers real security weaknesses.

It’s possible to take advantage of both services only if you contract a high-quality vendor, who understands and, most importantly – translates to the customer the difference between penetration testing and vulnerability assessment. Thus, in penetration testing, a good vendor combines automation with manual work and doesn’t provide false positives in the report. At the same time, in vulnerability assessment, the vendor uncovers a wide range of possible network vulnerabilities and reports them according to the customer’s business.

TAX Season is Here! Along with the Tax Phishing Scams!

January 19, 2018

Gian Gentile

Tax Phishing Scams

Tax Season Always Leads to Tax Phishing Scams, Here is What You Need to Know

Most of the United States are very eager to receive their well deserved tax return during tax season, although are you educated enough to avoid the dangerously growing tax phishing scams?

First off, you must understand what and how tax phishing scams & cyber attacks work. Phishing is a scam typically carried out through unsolicited email and/or websites that pose as legitimate sites (IRS, for example) and lure unsuspecting victims to provide personal and financial information.

How can I avoid Tax Phishing Scams?

Do not click on the e-mail

Tax Season Phishing

2. Delete the e-mail / move to spam folder or block the sender – The IRS doesn’t initiate contact with taxpayers by email, text messages or social media to request personal or financial information. This includes requests for PIN numbers, passwords, or similar access information for credit cards, banks or financial accounts.

3. Don’t Reply

4. Phone Calls – if you receive IRS phone calls, make sure you call 1-800-366-4484 to determine if the caller is an IRS employee with a legitimate request.

5. Report – report all incidents to TIGTA and to the IRS at [email protected] (Subject: ‘IRS Scam’)

In closing, here are some remaining tips on how to spot additional phishing attacks:

Phishing scams are a threat to consumers in general, so keep an eye out for attacks unrelated to the IRS. Be suspicious of emails stating that you will lose something—such as your bank account or email account—if you don’t respond or click on the stated link immediately. Signs of phishing schemes that imitate well-known businesses can contain:

Generic email salutations, such as “Dear valued customer,” instead of your name.
Poor grammar or spelling errors.
Conflicting web addresses: Place your mouse over the link to see if the URL matches the typed web address in the message. If it doesn’t, it’s likely a scam. Avoid clicking the link.
Web addresses that resemble those of prominent businesses, but are slightly different.
- For example, the URL of a spoof site mimicking PayPal.com may begin with “http” instead of “https.”
- Or the web address may be something like “secure-paypal.com” instead of PayPal’s actual URL.

If you have any questions, please comment below. Thank you!

How is your Website’s Health and is it Secure?

December 26, 2017

Gian Gentile

Website

How Can I Tell If My Website is Healthy & Secure?

Your Website might be designed well, although does it work well from a technical view?

First, ask yourself the following questions:

Is my Website secure?
How is my Website’s Health-score?
Is my SSL Certificate installed properly?
How’s my site speed? (fast loading website)
How’s my back-link counter?
Is my Website Mobile Friendly?
Do I have any HTML Errors?
Do I have any “Broken” Links?
Is my Website formatted for SEO?
Etc.

If you questioned any of the above, I will be providing some helpful tools in this blog that may help!

1. HTTPS

If your web page requires entry of personal or private information, check to see if the URL in the address bar of your internet browser starts with “https://”. The letter S is very important, since it signifies that the website is using Hypertext Transfer Protocol Secure (HTTPS), a communications protocol for secure communication. If not, you should have this configured asap.

2. Website Privacy Policy

A website’s privacy policy contains very useful information on how data is collected from your website, how it’s used, and what security measures the business will take to make sure your private data is safe. If a website is lacking a proper privacy policy, you may want to consider implementing one.

3. Contact Information

Up-to-date contact information is another factor that helps determine if a site is secure. A site owner concerned about security will have, at the very least, a valid email address where any identified issues can be addressed. Ideally, the site will also include email, social media, telephone, and possibly a physical address. So, please be sure to have an updated “Contact Me or Us” section.

4. Health Score

There are much more details to your health score. You will need 3rd party software or vendor to provide an actual Health Score Analysis

Although, the health score can provide very helpful information to ensure your website is operating top notch. Check out the sample dashboard below.

Website Health Score

5. Site Speed Test

Here is a tool to test your Website’s “site-speed” – Pingdom Website Speed Test

6. Mobile-Friendly Test

In a few seconds, you can type in a URL and find if the page has a mobile-friendly design. This is increasingly important based on the number of people who browse using mobile devices. Statistics show mobile devices actually surpassed desktop usage for the first time ever in 2016.

A green “Awesome” means your site is mobile-friendly; a red “Not mobile-friendly” means that you’ve got some work to do (check it out) – Google Webmaster Tool

7. Response Headers

Caching and other response headers can be confusing. REDbot will look at your server response headers, explain what each one means, and let you know if it finds any problems or inconsistencies.

8. HTTP Compression Test

Enabling compression on your website allows your content to download more quickly. Check to see if you have Gzip compression enabled. Doing so can reduce your bandwidth significantly – Gzip

In closing, be aware a healthy website will take continued maintenance throughout its lifetime. You must learn about the new features / tools as they’re released and implement accordingly. If you have any questions regarding your website, please feel free to comment below!

Thank you.

Human Error: Understand the IT Threat

December 12, 2017

Gian Gentile

Security Best Practices for Businesses

With over 90% of all cyber security breaches due to human error, it’s safe to say that mistakes in the workplace are more than costly. So what mishaps are your end users making, and what exactly are the repercussions to your organization?

Many of the successful security attacks from external attackers who are preying on human weakness, waiting patiently for employees to be lured into providing access to sensitive information. Their human errors can be incredibly costly, especially since the insiders involved have access to a host of sensitive data.

One of the greatest impacts of a successful security breach is the exposure of this kind of information, loss of intellectual property and the infection of malware.

The Threat of Human Error

One of the most common mistakes made by employees, is sending sensitive documents to unintended recipients. This is relatively easy to solve when deploying security controls to monitor sensitive information being leaked from your organization.

These controls were once considered complex to deploy, but have now been made considerably easier to implement by vendors in recent years. This has dramatically reduced the level of user involvement required and increased the use of such controls.

These tools can also:

Prevent users from engaging in inappropriate behavior
Eliminate sending documents home via email, placing them on file-sharing sites or removable media such as USB sticks

See how the growing culture of bring-your-own-device (BYOD) exposes additional major concerns, especially with the risk of lost or stolen mobile devices. Again, technology vendors are available to help companies control what happens to data stored on such devices, even allowing sensitive data to be remotely wiped – so that it doesn’t fall into the wrong hands.

Even the most trusted and highly skilled employees run major risks of human error. System and network administrators are commonly guilty of incorrect system configurations, poor patch management practices and the use of default names and passwords. There are numerous security controls that organizations can explore to guard against these types of threats.