
More and more frequently, penetration testing and vulnerability assessments are making it into news headlines and advertisements. Let’s examine a few questions you should ask before signing up for a pen test or vulnerability assessment:
- What are they?
- How frequently should they be run?
- Who offers these tests?
- Contractual terms to consider?
What is Penetration Testing and a Vulnerability Assessment
Pen tests test cybersecurity from the outside or inside. Some regulations require them, such as the New York State Cybersecurity Regulation (23 NYCRR500; the “Regulation”). The Regulation defines penetration testing as a “methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting penetration of databases or controls from outside or inside” the system. Imagine it’s a basketball practice or hockey scrimmage and the coach’s focus is on gauging the strength and reliability of the defense in preventing goals or baskets. The intention is to identify the vulnerabilities and then try to exploit them, i.e., try to exploit the system.
By contrast, a vulnerability assessment is a systematic review of information systems in order to identify cybersecurity vulnerabilities, quantify and/or consider the reasonable risk posed by vulnerabilities and potentially prioritize the levels of threat. The goal is to identify potential risks. The Regulation defines a vulnerability assessment as “systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities” in the Information Systems.
How Often Should Penetration Testing and Vulnerability Assessments be Performed?
Under the Regulation, penetration testing must be performed annually, focusing on the relevant risks identified in your Risk Assessment.
Vulnerability assessments must be performed biannually, based on the Risk Assessment results.
NIST (National Institute for Standards and Technology) provides various vulnerability validation techniques, which include pen testing and vulnerability assessments.
Who Offers Pen Tests and Vulnerability Assessments?
Who doesn’t? Nearly every company in any way related to technology will offer this service. Why? It is inexpensive, a good first step to understanding a company, and the tests are relatively easy to perform. It is important to find trusted, experienced vendors who know the purpose and goals of these tests. Some parts of the tests are automated, and others require a sufficient degree of skill – so experience and knowledge will be important in selecting a vendor.
Contractual Terms to Consider
Because an organization must share a lot about their business and expose their systems during pen testing and vulnerability assessments, a vendor should be chosen thoughtfully, and contracts entered into carefully.
Initially, what is the purpose of performing the tests, are they legally required, are they part of a larger risk assessment and analysis? What should the end product report look like?
Confidentiality is a must-have provision. The scope of the project should be well-defined and planned so as not to harm business operations or create new vulnerabilities. Make sure the vendor has the appropriate insurance in place. Most importantly, there must be well-defined risk allocation provisions. Plan also for what the end of the project will look like and the results and next steps.
Again, key ingredients of a vendor contract are confidentiality, scope, vendor insurance, risk allocation provisions, and results/next steps.
The bottom line? Know your vendor, get referrals from trusted persons in the space, and make sure the right legal obligations are in place. The cybersecurity attorneys at Octillo can help you navigate through penetration testing and vulnerability assessment from drafting the vendor agreement to performing a gap analysis of your current practices and policies and updating them accordingly.
If you have any questions regarding penetration testing or vulnerability assessments, please contact a member of our team.
*Attorney advertising. Prior results do not guarantee a similar outcome.