Top

There is no cybersecurity without Vulnerability Assessment and Penetration Test

Hunting down cyber threats is an ongoing process that is not for everyone. More and more companies are turning to professionals who know how to implement proactive and iterative research to uncover in advance those activities that attempt to circumvent existing security solutions. Vulnerability Assessment and Penetration Test are the two terms that describe the functions deployed by specialists to prevent computer crimes and the dissemination of sensitive data. These are periodic checks and inspections that, thanks to today’s technologies, work in the background, without slowing down normal business operations. Given the increasing size of the attack surface, both Vulnerability Assessment and Penetration Test are services that every type of company should now adopt, in order to minimise future problems to zero, so as not to have to deal with significant breaches both economically and in terms of reputation.

V.A. and P.T., two elements of the ethical hacking

It is worth emphasising how Vulnerability Assessment and Penetration Test procedures are closely linked to ethical hacking. This is because if ethical hackers aim to investigate the system or network in search of weak points that criminals could exploit or destroy, in the same way V.A. and P.T. collect and analyse information to understand how to strengthen the security of the system, network, applications. By doing so, they can improve security so that it can better resist attempted attacks. There are many reasons why criminals break into computer systems: from financial gain to personal satisfaction. In reality, the two motivations have long drawn a different picture, at least in terms of categories. On the one hand, there are the real hackers, who breach software and networks without any great financial interest; on the other hand, there are the crackers, who aim precisely at obtaining compensation and ransom for their ‘work’. Over time, however, the differentiation has faded, especially in practice. This is true for the emergence of actors driven by states and large organizations, who end up carrying out actions that, in fact, directly or indirectly damage a company, rather than the individual citizen. How do you fight such a ‘war’? With other hackers. Ethical hacking seeks to strengthen the security of information systems by assessing a company’s protection and trying to anticipate unforeseen attacks with potentially devastating consequences. Professionals who are always in the field and work directly for large companies or as consultants to specialized agencies, often recruited by the intelligence services.

From the engineers to the cloud

Secure Online Desktop is a Cloud Provider, created in 2011 by a group of Italian engineers, experts in computer network security and Datacenter scheming. Their passion and experience in e-security have enormously improved the security aspects of S.O.D. solution, making it affordable and highly secure as well. The original idea of the company was to provide a secure virtual desktop (hence the name Secure Online Desktop and its acronym S.O.D.) which contrary to the remote desktop, accessed via Terminal Server (Remote Desktop), could make available on user device (be it a desktop computer, a netbook or a tablet / smartphone) a set of software applications and data de-localized in a more “user friendly” way. With S.O.D. the user perceives the software and data as if it was incorporated in its workstations, and he will not distinguish between locally-installed software and a remote host. S.O.D. enucleates the concept of Cloud Desktop, the potential of the technology of cloud computing applied to the sphere of desktop users. The potential of cloud computing combined with the Grid Computing Datacenter of the Secure Online Desktop, the adoption of encryption technologies of data and of transmission channels, the development of multi-agent software platform and partnerships with several software houses has allowed to have numerous projects with major companies around the world.

Steps to become proactive

SecureOD devotes much of its work to vulnerability and penetration testing. To do this, it uses a methodology designed to measure the client’s cyber security through four key steps. The first is the Internal Vulnerability Assessment, the starting point for assessing the computer security of the “internal” network. This makes it possible to obtain an index of the LAN (Local Area Network) security status, which is then used to propose countermeasures and intervention methods. Then the External Vulnerability Assessment, conducted from the outside against the information systems of the perimeter area. This phase, although it can be conducted independently and in isolation from the internal Vulnerability Assessment, is carried out afterwards to be able to compare the results and act in a targeted manner. The third step is the Internal Penetration Test, which attempts to exploit the vulnerabilities that emerged from the previous analysis to breach the targeted information systems. The Internal Penetration Test is performed from inside the corporate network against internal and perimeter systems. Finally, the External Penetration Test, similar to the previous point but with the source of attack located outside the perimeter.

Prevention is the solution

The various verification and testing phases are carried out by so-called “PenTesters”, experienced technicians with knowledge of the subject. This guarantees business continuity and rapid work, reducing the risk of errors to zero. Specifically, the method used is OWASP, for the standardization and replicability of the tests. Experts simulate attacks dynamically, adapting to various situations, just as a malicious hacker would do, while avoiding false positives, which are common with the use of automated software. Once the reports have been delivered, the company will be able to see any evidence of weaknesses. This will be the starting point for securing the systems, an operation that can be carried out by SecureOD itself. Maximum transparency is directly applied with the results presented in a final report, which enables the customer to verify the work done and clearly understand the areas involved and the objectives set.

The world of Vulnerability Assessment and Penetration Test is not a closed system but open to customization, so as to meet different needs. SecureOD provides a Mobile App Penetration Test, to verify that an application developed is hacker-proof. After all, there are many risks associated with an untested app, including imperfect management of authorizations and sessions, but also possibly corrupt encryption and uncertain data storage. Applications are so popular that testing their reliability is no longer just an option. Other add-ons include testing of physical security in the enterprise, aimed at detecting attacks that exploit social engineering techniques and physical tampering with systems, and procedural security analysis, which verifies compliance with the main security regulations, GDPR, ISO 27001, AGID.

Antonino Caffo has been involved in journalism, particularly technology, for fifteen years. He is interested in topics related to the world of IT security but also consumer electronics. Antonino writes for the most important Italian generalist and trade publications. You can see him, sometimes, on television explaining how technology works, which is not as trivial for everyone as it seems.