Vulnerability assessments and penetration testing enter the realm of information security (IS) professionals. It is important to note that information security is a sub-specialty of information technology and most “IT guys” are not trained in information security. Therefore, it’s important to have assessments and testing performed by someone that has IS experience, and especially beneficial if the IS professional(s) has familiarity with the financial industry.
Vulnerability Assessments vs. Penetration Testing
Vulnerability assessments can be complex and the scope can vary widely depending on whether it includes, external as well as internal testing, and testing of physical security. The IS professional can help define the scope but cost will also be a consideration. A comprehensive vulnerability assessment will examine the firm’s cybersecurity governance, policies and procedures, access rights, data loss prevention, vendor management, training and incident response. It will also include network scans to identify potential vulnerabilities such as improperly configured firewalls or inadequately protected hardware.
Penetration testing differs from a vulnerability assessment in objective and scope. The objective of a penetration test is to breach an electronic system, which ends with the delivery of a written report outlining the results and recommended action steps, if any. A vulnerability assessment covers a in depth review of a number of areas as reflected above, and also includes the provision of a report reflecting the identification of vulnerabilities and suggested remediation.
Importantly, it appears that the overwhelming majority of penetration tests are successful, which is not a good thing because it means the IS professional is able to hack into a firm’s systems. Certain IS consulting firms even advertise a 100% penetration success rate, and their clients include Fortune 500 companies.
Notably, there are differences between the two tasks, but both are important components of a cybersecurity program.
Information Security Consultants
Below are some areas to consider when choosing a IS professional:
- Years of experience covering information security and cybersecurity;
- Extent of knowledge of financial industry and applicable regulations;
- Cost of project;
- Scope of the engagement;
- Level of personal service; and
- Proximity to office location(s).
Email hacking is one of the most common cyber-crimes. Next week’s blog will discuss some of these, along with steps to help ensure email security.
At Core Compliance & Legal Services, Inc. we have many clients who work with various information security consultants, so feel free to call us and we can leverage this experience to help you select a consultant that will meet your needs and expectations. Contact us at (619) 278-0020 with questions, or to find out how we can help.