While CISO budgets related to cyber issues are expected to grow in 2022, some simple practices can already help you avoid the worst: a previous article by Lucas, COO of Padok Security, for example, explained how to apply the best DevSecOps principles to improve your security system.
A vulnerability scan is a process that can be automated and that allows you to scrutinize all or part of a computer system (application, servers, network). The goal? To detect possible vulnerabilities, i.e. weaknesses and errors in the way a system is designed, configured, and protected.
It is recommended to perform these tests several times a year internally: at least once a quarter and at best once a month. Since most of these scans are automatic, it is even easier to conduct them on a regular basis. At a more granular level, it is also possible to set up tools that perform scans for each new deployment (to check that the dependencies are updated, for example).
Advantages:
Disadvantages :
In this scenario, the idea is to go around your house yourself (= IS) and list all the flaws that could lead to a breach: a broken window, a lock dating from the 18th century, a flat surveillance camera, etc. (= vulnerabilities).
This is as far as the exercise goes, and your list will not necessarily tell you whether these vulnerabilities are actually exploitable: perhaps the seemingly fragile lock will turn out to be unbreakable. You won't know until you try to break it.
A security audit consists of a human intervention, often carried out by an external service provider, and allows one to have a view at a given moment of all or part of the security risks of an IS.
The goal is to verify not only compliance with established standards and protocols (e.g. procedures or laws/regulations specific to the company's domain) but also to benefit from the expertise of an auditor.
Considering the cost of these audits, the frequency is logically lower than vulnerability scans. It also depends greatly on the exposure of your company and the industry in which it operates: a financial institution or a pharmaceutical company will tend to conduct these audits more regularly.
On average, it is therefore recommended to organize at least one audit per year, and ideally one per quarter. These audits may also be necessary in the event of a data breach, system upgrade, or data migration. Or more globally, any major change in your IS.
Advantages:
Disadvantages:
This time you ask your neighbor, a police officer, to carry out the previous exercise for you. He will have a more objective and sharpened eye on the security of your house, and especially knows the security standards of the market.
Not only will he be able to observe the potential flaws in your home (as you do), but he will also make recommendations to bring your home up to market standards: armored door, five-point lock, burglar-proof glass... However, he is still only observing and not trying to break into your home.
The penetration test allows you to contextualize an attack and exploit the flaws found. It is finally a more realistic and concrete audit: you mandate an external person to put himself in the shoes of a hacker and attack your IS (applications, servers, network).
It is even possible to physically simulate a real attack scenario, by simulating the theft of a developer's workstation for example.
There are three ways to conduct these pentests:
To dive into the practice, follow directly a Kubernetes cluster attack performed by Thibault, CTO of Padok Security, in July 2021.
As with security audits, the frequency depends greatly on your exposure and the industry in which your company operates. However, be careful not to misunderstand: all sites and applications face risks. For highly sensitive applications, it is advisable to perform slightly more than market standards.
For an application that is not very exposed, it may be sufficient to perform some at each major version upgrade.
Advantages:
Disadvantages
This time you ask this same neighbor, still stationed at the local police station, to break into your home, but through a specific and most sensitive place: your front door.
His objective is to gain access and try to compromise a maximum of goods inside your house, to analyze the main flaws, and to list what can easily be stolen.
However, you can choose between three approaches:
This practical test will allow you to confront the assumptions you had about the security of your house with reality. And maybe that 18th century lock you were so fond of will turn out to be much stronger than the scan or audit reports indicated...
Several approaches allow you to analyze the security level of your information system. It is possible to combine several of them, but your decision will depend on several criteria: the sensitivity of your company's environment, the size of your IS, as well as the time and budget you wish to allocate.
If you want to dig deeper into the subject, or if your company is already mature enough on it, a fourth approach is likely to interest you: the "Red Team" pentest.
Derived from the classic pentest, this approach covers a much larger perimeter (an entire IS for example), spreads over a longer period of time (several months), and implies that very few people in your company are aware of it.
Do you want to take action? Do not hesitate to contact us!