An important first step on the path to a secure environment
Risk Assessment: higher-level and strategic;
identify critical assets and value,
identify risks to critical assets,
define the likelihood of a threat to those assets,
impact that threat could have on assets, and
identify/recommend countermeasures to reduce and defeat against possible threats.
Security Assessment: more technical “architectural review”; evaluate the people, processes, and technology as it specifically relates to cybersecurity.
Penetration Test (a.k.a. Pen Test): highly specific and technical evaluation of weaknesses in countermeasures.
Often a manual process with some automated tools.
Requires highly specialized skills and expertise. Expect a higher price tag.
A cheap/lowest-cost Pen Test only results in a false sense of security.
Usually done as a snapshot/single event to validate Vulnerability Management (see below).
Should be performed on a reoccurring basis (not recurring) according to overall framework and policies
A good Pen Test should do two things:
identify new vulnerabilities, and/or
validate the assumptions about the current cybersecurity posture, thereby providing a feedback loop back into the security program.
The Pen Test allows an organization to truly understand how effective their security is from a “hackers perspective”.
Vulnerability Management (Vulnerability Assessment, Vulnerability Scanning): evaluate, rank, and patch technical weaknesses on a routine basis (e.g. daily, weekly, monthly, quarterly).
Usually delivered via automated tools and software by a professional provider.
Considered the starting point for a Pen Test. It is NOT a Penetration Test itself (don't let any vendor tell you otherwise).
With any specific vulnerability, the best solutions will provide greater context, beyond the vulnerability itself, and therefore better threat scoring, reducing false positives and unnecessary panic.
or are you just trying to “check the box”?
With help finding the right cybersecurity companies, to review your security and receive a free consultation, and to implement a new strategy to protect all of your business assets, please contact Cloud 9 Advisers, now.