During a client satisfaction survey conducted last year, we found that respondents were most likely to name security as their top priority for the upcoming year. In our continued effort to bring awareness to trending security topics and news, we will be issuing a security update on a monthly basis.
This update includes our security roundup, featuring the differences between a penetration test and vulnerability assessment. You'll also find data on trending security related headlines, and some important notes on recent vendor patches.
We welcome all feedback as we strive to keep our community safe and secure.
Security Roundup: Penetration Test vs Vulnerability Assessment
As security topics like data breaches and ransomware continue to make the headlines, new regulations are being put forth so that organizations are better prepared for a disaster. An example is the new guidelines set by the New York State Department of Financial Services, which require annual penetration tests and bi-annual vulnerability assessments, along with other security related solutions. As a result, our consultants are facing a familiar question on a higher frequency – what are penetration tests and vulnerability assessments, and why do I need to do both?
Vulnerability assessments are scans of known vulnerabilities in the wild. These scans are designed to point out any flaws that you have in your system that a potential hacker could then take advantage of. Things that are often discovered are systems with missing patches, out dated software that are not getting security updates, and older security protocols like obsolete SSL certificates. During this assessment, no attempt is made to gain access or to actually exploit the vulnerabilities that it discovers. The end result of a vulnerability assessment are typically a list of concerns and possible solutions to address them.
Penetration tests take theses scans to the next level. Typically, your firm would hire a third party security firm to test your systems to see if they can actually exploit the vulnerability to gain access to your network. They will do a scan of your network and then try to get in to anything that they find. Their goal is to get as much information as possible. During this process they will use tools to guess/steal passwords and actually try to login to your systems and navigate around as much as they can. They are basically acting as a hacker, but the good thing is they won’t do any harm and will suggest ways for you protect yourself against the real hackers.
If you want more information about these services, please contact your dedicated engagement team and they will be happy to assist you.
World News
- It was a busy month for hackers this month as there were two widely published incidents. The first one was the gmail phishing attack where it tricked users into giving them full access to their gmail account. Luckily it was short lived, but still was able to get to a lot of people (I know I personally saw two emails from hacked gmail accounts). The other big note worry item was the WannaCry ransomware attack that was all over the new. You probably have seen a ton of information on this, but the moral of the story is to stay up to date on Operating Systems and Patches. If you don’t, you run the risk of being vulnerable to something that otherwise could have been prevented.
Patching
- The Big news this month was the WannaCry Ransomeware patch that Microsoft released. What was interesting was Microsoft released a patch for unsupported Operating systems like XP and Windows Server 2003. Time to upgrade!!
- Microsoft also released a patch for Windows Defender that was resolved