A decade ago, most enterprises in the U.S. did not properly understand what penetration testing was. Even in recent years, most healthcare organizations have still struggled to fully grasp the nuances of these exercises.

While the overall security industry and the healthcare-specific segment have both matured significantly, there are still many misconceptions that not only make the expensive, third-party penetration tester’s job a lot harder, but may also make the assessment markedly less effective.

For starters, the difference between an automated vulnerability scan (with a tool like Nessus, Qualys, or OpenVAS) and a penetration test is often misunderstood. What confuses the matter even further is that a penetration test can have several levels of intensity.

Before healthcare organizations dive into the best practices for penetration testing, the first step is understanding the difference between penetration tests and vulnerability scans, and learning how to choose the best possible approach for the situation at hand.

Automated vulnerability scanning is a very important tool in the professional penetration tester’s toolkit, as it is absolutely crucial for properly performing a penetration test. Vulnerability scanning is also a critical function for the average information security team. The moment a penetration tester comes in to perform an assessment is not the right time to decide if vulnerability scans are also needed. Even performing un-credentialed scans on a quarterly basis with a free tool (like OpenVAS) will help to identify vulnerabilities that need remediation.

Vulnerability scanners use a database of signatures, which are considered the fingerprints of known malware and vulnerabilities. While these signatures provide a plethora of useful information, they are not perfect. Automated scanning is known to have false positives (results that incorrectly indicate that a particular condition or attribute is present) and false negatives (results that do not identify a particular condition or attribute that is present). They also have another problem: lack of context. For example, a scanner can find all of the cases where a system is using an outdated version of the TLS/SSL protocol. But the severity of the risk, which ranges based on who can access the system, may not be captured in the scan results. A penetration test brings context into the equation.

Penetration testing begins when the vulnerability scanning is completed. An experienced hacker can look at that report and immediately make significant changes by eliminating false positives and adding context to the severity risk ratings for the other findings. A skilled penetration tester or team will also be able to identify those lower level vulnerabilities that, when chained together, can lead to a breach or other serious compromise, adding significant value simply by adding context to the assessment.

Finally, the penetration tester is able to focus on the most likely vulnerable systems and look at systems that may have been falsely reported as secure by the scanner.

While the baseline approach to any pen test is essentially the same—the sequence includes pre-engagement, intelligence gathering, threat modeling, vulnerability assessment, exploitation, post-exploitation and reporting—there are varying levels of attacks that can be applied as examples to more accurately portray a real-world incident.

The lowest level is a simple vulnerability scan (not a penetration test) that will find low-hanging fruit, such as outdated operating systems, but does not provide a good representation of a real-world attack. Moving up the scale is the external-only penetration test that will test any system that has a public IP and can be accessed from the web for potential flaws. Another step further is an internal penetration test that will portray an insider threat or attacker inside of the network.

Beyond this, a penetration test can include a phishing exercise in which fake emails are sent to users in an effort to gain unauthorized access to sensitive systems or data. A physical or remote social engineering aspect can be added to enable the offensive team to physically breach the building and gain unauthorized access, or use phone calls to fool unsuspecting employees into giving them access. Finally, all of these aspects can be put into one big assessment that is called a Red Team in which the offensive team is authorized to use any means necessary to gain access to the target organization’s systems. A Red Team exercise is the closest an exercise can get to replicating a targeted real-world attack.

When choosing the best approach for penetration testing, the most important factor to consider is the maturity of the target organization. If it has never had a vulnerability scan run against its systems, then this will logically be the best place to start and will allow plenty of time for remediation.

If the organization seeking the offensive assessment is more mature and has regular vulnerability scanning (a patching program) then an external penetration test is in order. From there, the organization should progress toward more advanced assessments with the goal of performing at least one offensive assessment per year while also conducting vulnerability scans more frequently.

John Nye

John Nye

John Nye is vice president of cybersecurity at Cynergistek.