Vulnerability Detection / Penetration Test

What is it?
Vulnerability detection (a.k.a. penetration test) is a systematic, point-in-time effort to identify security weaknesses or flaws in a business’s IT infrastructure, and to understand the risk implications to the business baseline. It is a part of the business risk management process.

The investigation is typically performed by skilled security professionals. Its scope may cover one operation element, e.g. a firewall, or application and can be extending to the whole business’s IT operation environment.

What are the purposes of a vulnerability detection?
As a minimal reason, the outcome of vulnerability detection helps a business to comprehend its risk exposure and to decide if any action is necessary. It can also be a verifiable means to show a business has a secure IT environment, for instance, to process and store customers’ information as required by some recent data security legislations.

Not all detected vulnerabilities must be eliminated. Vulnerabilities should be analysed in the business risk context and remedial action taken to address the most critical threats, in a prioritized manner with a view to optimising return-on-investment (ROI).

How to go about doing it?
There are no hard and fast rules but generally an investigation involves the following steps:

• Define the scope - what is the aim and target for the investigation?
• Map out an action plan with the business groups concerned – under no circumstances should an investigation disrupt normal business operation.
  
• Decide if a ‘black-box’ or ‘white-box’ approach is preferred (*note below).
• Initiate the investigation on the agreed plan using appropriate procedures and tools.
• Document all the vulnerabilities found and the steps to discover them.
• Analyse the vulnerabilities with the business to decide the criticality of the weaknesses and the likely impacts.
• Define solutions to address the vulnerabilities found and work out priority. In many cases, not all vulnerabilities are to be resolved at once.

When the identified solutions are implemented, they should be documented and the effectiveness re-evaluated.

This is not a one-off exercise. It should be performed on a periodical basis and whenever there are significant system changes to ensure no new vulnerability is introduced.

What it is not?
While vulnerability detection is a crucial process to help assure a secure IT operation environment, it is not a panacea to all security needs. In particular, it is

• Not a full internal IT audit (but a useful step to bring security to a sound status),
• Not a substitution for security polices, procedures and guidelines, and
• Not a replacement for suitable security safeguards and good practices.

* A ‘black-box’ approach is when the investigator is given little information about the target system and he uses a ‘best-effort’ attempt to penetrate the system. A ‘white-box’ approach is where the testing professional has a fair amount of prior knowledge about the system configuration. A ‘white-box’ scheme is often more effective and efficient in identifying weak points.