During the mail list last week, a member brought up this issue whereby i was also involved in the consultancy in a company situated in Ghana.
This a bit hilarious provided that these guys were doing a security assessment for the company and i expected such a company like KPMG to be aware of the security assessment factors and which services are offered during such an engagement.
So which factors does a client need to look into before taking in a Security Assessment:
a)Penetration testing External or Internal
b)Durations, how many times do you need the service, annually, semi-annually?
c)Last but not least, which security assessment service do you need.
Before we go down to some explanations, during a presentation at KRA i did explain the difference between a Vulnerability Assessment and a Penetration Test. To make that statement short, a penetration test is the actual outcome after a vulnerability assessment. In short a penetration test is the actual hands on confirmation of a vulnerability picked up during a Vulnerability Assessment therefore its a VA logical conclusion.
EXTERNAL AND INTERNAL TESTING
During a test, you might choose if you want the pentest to be performed outside your network from a remote site or you want the engineers to be in the network. When its performed externally, the engagement is taken inform of an outsider Blackhat who is supposed to bypass your firewall and any device on your perimeter from the internet. In such kind of test, the testers are not given any IP ranges, no DNS and no users, in short, no information, they have to covertly collect it and perform as much intelligence as they can before picking their prime targets. This test is commonly known as Blackbox pentesting.
The internal testing, this is carried more of like an inside threat. Someone who is already behind the perimeter, who has much info about the network and the organization. Here the testers will try to use social engineering, privilege escalation, exploitation etc.
DURATIONS, HOW MANY TIMES DO YOU NEED THE SERVICE, ANNUALLY, SEMI-ANNUALLY?
This may be considered by the security team in an organization that needs this service and also from the consultants perspective. The factors may include:
a) Threat Intelligence
b) Security Incidents (scan, bruteforces, hack attempts, DOS)
d) Business espionage
e) Perimeter devices and applications e.g Portals, may need external blackbox pentests
d) Application and system changes including addition of clients and employees
WHICH SECURITY SERVICE DO YOU NEED?
One thing I have noticed with most of the security vendors in Africa is that they come with crazy names for their products that leaves customers wondering which to take and get up tricked into non service commitment. When a client asks for a security assessment, or an organization which needs one, this is what to look into as the services needed.
a) Vulnerability Assessment
b) Penetration testing
c) Web Application Assessment
d) Physical Security Assessment
This is just to mention the most important ones. I will be writing a brief blog entry for each of them soon.