5 Types of Cybersecurity Assessments & When to Consider Them

A Risk Assessment is a thorough scan and audit of an organization’s systems, required regularly for compliance regulations such as NIST, CMMC, NY-DFS, PCI DSS and HIPAA. This assessment benchmarks the level of vulnerability and security posture of the organization against accepted standards.

The results of a Risk Assessment report are custom to the specific organization. A Security Analyst will assess findings to determine the potential impact of each risk to the organization. The assessment may include internal or external vulnerability scans, an audit of security tools (such as EDR, antivirus, and firewalls), systems, cloud platforms (i.e., Microsoft 365, Azure, AWS), business specific applications, and relevant security policies.

ADNET recommends performing Risk Assessments on an annual basis at a minimum. Certain regulatory compliance obligations do mandate Risk Assessments, and they may also be required for cyberinsurance polices. In the event of a security incident or major change to your business needs, you may want to consider scheduling more frequent assessments.

Recurring Risk Assessments can identify areas that hackers are most likely to target and decrease your risk of becoming a victim of a cyber-attack. If your short-term budget supports only one type of cybersecurity assessment, start with this one.

A Vulnerability Assessment identifies, quantifies, and prioritizes the vulnerabilities in a system using a combination of automated and manual tools. Consolidated findings focus on new and critical issues, with a full appendix listing all vulnerabilities.

Note: A Vulnerability Assessment is not the same as a Risk Assessment. A Vulnerability Assessment alone does not meet the requirements for Risk Assessments mandated by HIPAA, PCI DSS, or other compliance regulations.

ADNET recommends performing regular vulnerability assessments in conjunction with recurring risk assessments as part of your organization’s cybersecurity strategy. It’s important to schedule these assessments as part of new and major business initiatives, such as rolling out a new Enterprise Resource Planning (ERP) system.

Whether you have vulnerability assessments performed annually, quarterly, monthly or on another cadence, know that this is not a “one and done” assessment. Based on the increasing prevalence and severity of cyber-attacks, more organizations and regulatory compliance governing bodies are mandating a regular vulnerability management program, which is more complex than simply having vulnerability assessments performed. Reach out to ADNET if you’d like guidance on developing this type of program for your organization.

A Penetration Assessment, also known as a “Pen Test,” is a completely human-directed process performed by credentialed security professionals. Penetration Assessments simulate an attack on an organization’s systems. Designed to find weaknesses, this assessment exploits them in a safe manner to best determine the organization’s greatest risks and possible impact of a successful attack. A Penetration Assessment may also include a Vulnerability Scan.

Penetration Assessments can be external or internal and generally fall into three categories: White Box, Black Box and Grey Box. These range from receiving internal information to attempting to breach the system as an attacker would. Penetration Assessments can be conducted on networks, applications, or websites.

A Penetration Assessment can safely exploit vulnerabilities and misconfigurations, identifying human errors that may leave systems vulnerable to exploits by hackers. While a Risk Assessment focuses on the big picture, a Penetration Assessment focuses on a certain area.

ADNET recommends a Penetration Assessment in specific situations. For example (this list is not exhaustive): if your organization is developing a new system or new technology, adding a new feature to a business-critical system, updating a public-facing system or one that contains sensitive data, consider conducting a focused assessment against those areas. Compliance regulations may also dictate this specific type of assessment be performed on a given frequency.

However, if regulations or current circumstances do not require a Penetration Assessment, ADNET recommends a multi-step approach:

– Conduct a Risk Assessment 
– Remediate the vulnerabilities found in the Risk Assessment
– Perform a Penetration Assessment against a specific area to verify minimization of security risks

A Website Penetration Assessment bears its own mention because website security is often overlooked. If bugs, misconfigurations and/or vulnerabilities exist on your web server, databases and integrated solutions, they can be exploited by a threat actor.

This scan and assessment can detect vulnerabilities in web servers and web applications, including plug-ins, templates, and core. A security professional analyzes the findings to determine the potential impact of each risk to the organization. Any risks or vulnerabilities discovered should be promptly mitigated in partnership with your web development team or partner.

Perform Website Penetration Assessments when making major updates to your existing website, launching a new website and on a regular basis. The frequency of this cadence depends on the complexity of your website. Compliance standards such as PCI DSS may require Website Penetration Assessments, including vulnerability scans.

Social engineering, or “phishing,” is one of the biggest threats to organizations today, primarily because these types of attacks are so successful. Using expert knowledge and tools, a phishing test safely tests your team’s ability to recognize phishing attempts.

With the consent of the client, security professionals create campaigns to safely simulate phishing emails. The writing and format of the emails are how a standard phishing campaign would be, and links within lead to a benign landing page. Once the emails are sent to your employees, the results – such as opens, non-opens and clickthrough rates – are tracked and reported back to the organization.

It’s important to note that these campaigns are not meant to shame or retaliate against users. Phishing tests are teaching tools that can help pinpoint your biggest vulnerabilities. Following a phishing test campaign, we recommend conducting Security Awareness Training with your team because it’s a great way to educate your team on avoiding future cybersecurity threats.

The best time to perform a phishing test for your organization is before a security incident occurs, in the interest of preventing one. ADNET recommends performing simulated, unannounced phishing tests at a minimum on an annual but unpredictable basis.