On November 23, the European Parliament suffered a DDOS or Distributed Denial of Service attack, which caused its website to crash. A gang of Russian cybercriminals claimed responsibility for the attack. This malicious action against one of the main EU institutions is just one more example of cyber-attacks that occur daily. And the strategy employed (DDOS) is part of the wide range of techniques and methodologies that attackers can deploy. This case shows that no company or institution is safe and that it is therefore essential to carry out a global security assessment to arm yourself against criminals.
At the end of last month, a major insurance company suffered an attack on its information systems that compromised the personal data of former customers. And at the same time, Interpol dismantled an international network that defrauded thousands of people around the world of nearly $130 million using techniques such as phishing and sextortion.
Given the cases we have just outlined, we can draw one conclusion: neither public administrations, private companies, nor ordinary citizens are safe. We can all be affected by a cyberattack and fall victim to fraudulent actions.
What can companies and institutions do to win the war against cybercriminals? Conduct a global security assessment that x-rays their strategy and their ability to defend and respond against the techniques and methodologies employed by criminals.
In this article, we will discuss the keys to a global security assessment and the role of penetration testing services in carrying it out.
1. A complex context and an increasingly digitalized world
The global security assessment is a comprehensive analysis of all the elements of a company that could be vulnerable to a cyberattack, whether from external or internal sources. This assessment seeks to detect gaps in all the attack vectors of a company and institution, taking into account the existing threats and the tools and tactics used by criminals.
Precisely, both attack vectors and threats are in constant transformation.
On the one hand, the digitalization of our lives has caused us to perform more and more actions in the digital world every day. The use of software, apps, IoT devices, or wireless networks is standardized. The vast majority of people can no longer live without these technological advances. And almost all companies cannot carry out their activities without these tools. What’s more, many companies perform and market their services in the digital sphere.
What does this mean? Companies have a huge range of business possibilities at their disposal, but they are also more exposed to cyber-attacks.
If a company has its data in the cloud and has a web application and a mobile application for use by its customers, it must have a security strategy that fortifies these attack vectors.
Just as the digitization process is an integral part of the business strategy, cybersecurity must also be included at the heart of a company’s decision-making and planning. Conducting a comprehensive security assessment provides a basis on which to design (and revise) a comprehensive strategy that safeguards a company against cyberattacks. This is of vital importance, given that cyber-attacks are becoming increasingly common and complex, and their impact is growing.
2. Objectives of the global security assessment
The global security assessment is of great help in enabling companies to know their weaknesses better than their potential enemies. They can thus anticipate their actions, strengthen their defenses and improve their incident response and remediation systems.
Although we could list a myriad of objectives, we will summarize the mission of a global security assessment in four major items: problem detection, search for solutions, and, finally, protection of assets and safeguarding the companies themselves and their customers.
2.1. Detecting and remediating vulnerabilities
As we pointed out earlier, organizations are increasingly exposed to cyber-attacks. Therefore, a global security assessment is a perfect option to analyze every asset of a company for vulnerabilities.
By hiring penetration testing services, all elements of a company can be tested in real, but controlled, environments to check whether or not they are vulnerable to cyber-attacks.
Although the detection of vulnerabilities is one of the key issues in a global security assessment, it is by no means the end of the line. Based on the vulnerabilities found and a precise study of the threats facing the organization, it is possible to assess the risks and propose recommendations to remedy the problems.
After all, there is no point in a company being aware of its security weaknesses and the gaps that attackers can exploit if it does not know how to take action to remedy these problems.
This is why the global security assessment includes a report that not only lists the vulnerabilities and risks of each element, but also the measures that can be put in place to remedy the former and reduce the latter.
2.2. Optimizing the security strategy
Vulnerabilities, threats, risks, and recommendations provide the information needed to design a comprehensive security strategy based on effective security protocols, measures, countermeasures, and policies.
Therefore, the global security assessment serves to optimize the security strategy, helping to improve the detection, monitoring, and response capacity of companies and public administrations.
2.3. Safeguarding assets… and the organization as a whole
What does an improved security strategy mean? A company’s assets and information will be better protected against attacks and its systems will be able to respond effectively in the event of a security incident.
If a company’s customer data or confidential information is breached, the financial, reputational, and legal consequences can be far-reaching.
Data protection and business continuity must be two strategic issues for any company in the digital age. And the global security assessment sets the stage for organizations to safeguard information and ensure that their business model and ability to operate are not affected by a cyberattack.
2.4. Complying with legal requirements
Data protection is one of the central issues of our time. Digitalization has given us access to a wealth of information and services, but it has also led to our data being collected and stored by numerous companies and institutions.
To ensure its safeguarding, integrity, and availability, the European regulatory framework has increased the requirements to be met by organizations that process citizens’ data. The RGPD at the EU level and the LOPDPGDD as regards Spain, emphasize the duty to ensure the protection of data against cyber-attacks that seek to violate them.
Likewise, other European regulations already approved or about to see the light of day, such as the DORA or NIS2 regulations, stress the need for companies and administrations to fortify themselves against attacks, carry out permanent surveillance, have communication channels, and be able to respond effectively in the event of an incident. Particularly those linked to critical economic sectors such as healthcare, defense, and banking.
Given this legal framework and the social, economic, and political context, the global security assessment emerges as an analysis that can be of great help. Employing techniques such as pentesting, cybersecurity professionals carry out a complete and in-depth study of an organization’s level of protection and the efficiency of its security controls, with the ultimate goal of remedying deficiencies and contributing to its securitization against malicious attacks.
Companies that fail to comply with regulatory requirements, in addition to having their cybersecurity exposed, may face heavy fines and other legal repercussions.
3. Analyze all elements to detect all vulnerabilities
While the security risk assessment prioritizes a company’s critical assets to evaluate them and detect the vulnerabilities they present, the global security assessment acts on all elements of the organization.
Infrastructure, systems, servers, domains and subdomains, web applications, mobile applications, vulnerability scanning applications, networks, security information, security policies, evaluation of the human factor through exercises such as phishing, vishing or smishing… All these elements are susceptible to being analyzed during a global security assessment.
Utilizing pentesting, the assets of the company or institution can be tested using the multiple techniques and strategies implemented by malicious attackers. The objective is to detect, as we have already mentioned, any type of weakness that may exist and could be used by an attacker to steal information, gain improper access to the company’s systems, or cause a service to fail or install malware.
4. Performing a global security assessment through pentesting
As we have already pointed out throughout the text, advanced penetration testing services can be the best allies when it comes to performing a global security assessment. This offensive security test is used to determine the security level of a company. To do this, a real cyber-attack is simulated in a controlled environment.
This approach makes it possible to detect vulnerabilities that attackers may encounter and to test how security systems react to real threats such as information theft, credential theft, reverse engineering attacks, or the spread of ransomware.
Advanced penetration tests are designed and executed according to each company’s priorities, objectives, and resources. In the case of a global security assessment, its depth and scope should be as broad as possible.
Bearing this fact in mind, we will address the three types of pentesting that can be carried out and which of them could best fit the ambitious objectives of a global security assessment.
4.1. Black Box: Approaching a real attacker
Black box pentesting is the closest to the position of a malicious actor wishing to breach a company’s systems. Why? The professionals who carry it out lack any prior information about the company, its assets, users, security measures, and controls.
In other words, they work blind, in the dark.
This has a pro and a con. As we have already said, this type of pentesting makes it possible to get close to the way a real attacker would proceed, carrying out the same actions that they will have to implement in search of vulnerabilities to exploit. This is undoubtedly an attractive issue because it makes it possible to see how existing security measures and protocols respond.
The downside is that, without having all the information on the organization’s elements and assets beforehand, it is not possible to evaluate them in their entirety. Hence, this type of pentesting is less complete than the following.
4.2. White Box: Testing with all the information at hand
Black box and white box pentesting exercises are like night and day. While in the former, professionals move in the darkness of an organization, in the latter they can observe everything under a powerful spotlight: that of total information.
In this mode, detailed information on the organization’s technologies, source code, user accounts, network maps, architecture, networks, servers, and security policies is already available before pentesting is launched.
Professionals design and implement pentesting taking into account all these data, which enables them to carry out a more exhaustive check of each asset to detect any vulnerability, no matter how difficult it may be to exploit without prior information.
4.3. Gray Box: Penetrating the organization from the shadows
Halfway between one solution and the other is the gray box penetration test. In this mode, the professionals performing the pentesting have at their disposal partial information about the company or institution. Such as, for example, IP inventories of the company, domain information, valid credentials, or certain data about the technologies used in the organization.
The objective of this type of pentesting is to perform a more focused analysis than the black box test because the professionals will be able to prioritize the exercises they carry out taking into account the previous information, giving more relevance to the most important elements or those that present deficiencies in the light of the previous data.
5. Simulate external and internal attacks: You never know where the enemy is coming from
When carrying out a global security assessment, it is important to bear in mind that attacks can come from the company’s internal network or its perimeter. And the attackers can be malicious agents from outside the company or individuals who are part of the organization (or external attackers who have managed to gain access to internal infrastructure).
Therefore, pentesting, in addition to being a black, gray, or white box, can also be internal or external:
- External or perimeter penetration testing. The professionals who perform it act as if they were attackers without access to the company’s internal network. In such a way that all the company’s assets published on the Internet are tested. From the company’s public IPs to its DNS, to its websites, mobile applications, and any service or element that an attacker could access.
- Internal penetration test. The people in charge of pentesting proceed as an attacker who has access to the company’s internal network would do, whether wired, wireless, or via remote VPN access or remote desktop.
A global security assessment may require combining both modalities to test all assets and the responsiveness of controls and security measures against attacks that breach the security perimeter. But also against those actions that are executed from the organization’s internal network.
6. The level of depth of analysis
By undertaking a global security assessment, companies and administrations obtain a complete overview of their level of protection and the vulnerabilities to be mitigated, also taking into account the threats existing at the time the analysis is performed.
It seems logical to think that for this overview to be as accurate as possible, the penetration test must be as thorough as possible. However, two derivatives must be taken into account: the financial resources available and the frequency of the analysis.
Fortunately, penetration testing services can be perfectly adapted to the needs of an organization that chooses to carry out a global security assessment. Concerning the depth of the penetration test, we can differentiate between three types of pentesting:
- Automated. This is a penetration test in which automated tools are used to collect resources and identify vulnerabilities. This approach brings to light the vulnerabilities most exposed to attackers, which are usually associated with a high risk. This makes it possible to draw up a first initial threat map. The information obtained through it is also useful when implementing more advanced penetration tests.
- In-depth. This test checks the security level of networks and applications. Given its complexity, it is carried out by highly qualified professionals who are familiar with the techniques and strategies used by attackers. Unlike the previous one, in which there is a high level of test automation, in this one, the professionals and their knowledge and experience are the protagonists. This approach can provide a better risk assessment, as it could identify impacts that make use of multiple chained vulnerabilities or flaws related to authorization controls and business logic.
- Hybrid. Combines the use of automated tools with the periodic and continuous work of professionals. In this way, the constancy of automated testing is combined with the advanced knowledge of pen-testers. In this way, the global security assessment can become a continuous service.
7. From exploitation to post-exploitation
So far we have covered the different phases of pentesting that allow us to carry out a global security assessment: setting objectives and obtaining information, detecting and analyzing vulnerabilities, exploiting them to test the security mechanisms, and drawing up a series of recommendations to mitigate the problems detected.
Well, pentesting also includes a phase known as post-exploitation, which can be of great interest when preparing a global security assessment.
In this phase, all the information and the level of access obtained during the exploitation of vulnerabilities are used as a starting point. And, from there, a series of objectives are set to thoroughly analyze the organization’s security mechanisms to try to get as far as possible from an attacker’s point of view, taking advantage of the context of the infrastructure.
In post-exploitation, the elevation of user privileges can be tested. In this way, it is possible to detect whether there are security architecture failures or insufficient security measures.
On the other hand, a series of system compromise objectives can be set and exercises can be carried out to test the ability of hypothetical attackers to perform the following actions:
- Persistence
- Lateral movement
- Information exfiltration
- Erasure of traces
In this way, an accurate picture is obtained of the attackers’ possible mode of operation once the attacks have been successful and the company’s level of protection, shedding light on the efficiency of security measures, protocols, and mechanisms. All these results, of course, in an global security assessment of great added value.
8. Cyber risk management: A cornerstone that needs to be considered
At the beginning of this article, we emphasized that cyber-attacks are on the rise and that the methods employed by criminals are becoming increasingly sophisticated. However, we must add another element to the equation: critical attacks are increasing at enormous speed. The National Cryptologic Center (CCN) has just made public that in 2021 it had to manage 118 critical incidents, i.e. successful attacks that threaten national security, strategic infrastructures, and essential services. This figure is almost double the number of critical attacks managed by the agency in 2020.
On the other hand, according to Verizon’s annual reports (2021 Data Breach Investigation Report), most security breaches are the result of targets of opportunity. This means that, while there are certainly cases of targeted attacks, any company can be the victim of a cyberattack if it is an easy target for a cybercriminal.
Companies and public administrations must therefore be aware not only of the likelihood of suffering a cyberattack. They must also be aware of how serious it can become if they do not have advanced security systems in place.
In this context, designing and implementing a global security assessment can provide certainty about the risks faced by the organization and have a positive impact on three strategic issues in the field of cybersecurity and risk and incident management: prevention, monitoring, and resilience.
8.1. Prevention
Since time immemorial, mankind has known that the best way to deal with a threat is to prepare for it. In other words, to take preventive measures. Thousands of walls around the world are still standing, thousands of years old to attest to this.
Conducting a global security assessment is a valuable decision when it comes to implementing a strategy that emphasizes prevention. This involves not only effective security measures against threats but also widespread awareness throughout the organization, from the people in charge of security and decision-makers to the professionals working in the organization.
Actions such as requiring multi-factor authentication when logging on to a corporate email are born out of the intention to reduce the role of users in cybersecurity, as it is well established that users are the main weak link in the chain.
The results of a global security assessment give a good account of a company’s level of prevention and the issues that need to be optimized. From vulnerability remediation to the improvement of controls, as well as the training of all users of the organization’s systems and networks.
The goal is always to protect the infrastructure, applications, processes, information, and other assets of the company or institution. This also includes the employees and, of course, the customers.
8.2. Ongoing monitoring
As we have already pointed out on other occasions, there is no point in carrying out a global security assessment if the security mechanisms are not subsequently updated and the latest malicious techniques and tactics are not taken into account.
Attackers do not rest, and new developments can also introduce new vulnerabilities, so security strategies must take this into account. Constant vigilance and constant monitoring must be ensured to find vulnerabilities and breaches. As well as to detect at an early stage the launch of a cyberattack against any element of the organization.
For this, it is necessary to have threat analysis and identification technologies and professionals versed in the field of cybersecurity and fully updated on the main developments in the sector.
In addition, it should also be noted that a global security assessment and a monitoring system in line with it must take into account not only the company’s systems, infrastructure, and networks, but also those of the suppliers that are part of its supply chain.
The sophistication of the strategies employed by criminals is such that, in some cases, to breach an organization’s assets, they do not attack its systems, but rather attack one of its suppliers, with a lower level of security, to achieve their objectives in this way, which is less protected than the company’s security perimeter.
8.3. Resilience and response capacity
Despite prevention and monitoring efforts, some attacks cannot be foreseen or stopped before they impact the organization. Therefore, companies and institutions must have well-defined and effective mechanisms, plans, and protocols in place to deal with security incidents and to articulate a rapid and comprehensive response.
In this sense, a global security assessment serves to contrast the resilience and response capacity of an organization, analyzing the functioning of the protocols, especially when privileges are raised during a pentesting.
The resilience of an organization translates into its ability to, in the event of a security incident:
- Stop the attack in the shortest possible time, preventing its propagation and reducing its level of impact.
- Ensure business continuity.
- Carry out disaster recovery operations quickly and efficiently.
- Manage communication and legal derivatives.
In short, the global security assessment is a complete analysis of existing vulnerabilities, potential threats and risks, and the security controls of a company or institution. The objective of this study is to help organizations to fortify themselves against malicious attacks, be prepared to manage risks and security incidents, and come out of them unscathed.
More articles in this series about Security Assessment
This article is part of a series of articles about Security Assessment
- The 5 keys to a security risk assessment
- Global security assessment: Knowing the weaknesses to address them