Having editorialized a bit about the history of pen testing and vulnerability assessment - while not addressing pioneering papers, such as "Improving the security of your site by breaking into it," by Dan Farmer and Wietse Venema in 1993 - it's time to take a serious look at what the current state of vulnerability assessment (VA) actually is.
Back in 1993, when the paper was written, the idea of breaking into one's own site was radical. In fact, SATAN, arguably the first pen testing tool in the open source world, reportedly got Farmer canned from his job. Fact or old wives' tale, it doesn't matter. That was the tenor of the time and Farmer was risking a lot with his ideas. Today, thanks to pioneers such as Farmer, Venema and many others, things are far different. There is a healthy market for vulnerability assessment tools and penetration testing is becoming a commoditized offering of many consultants.
The growing sophistication of the adversary also has had a lot to do with the realization that doing exactly what that early paper suggested is the only way to ensure that one's enterprise is as safe as it can be. Think of VA and pen testing as security quality assurance. We have lots of first-line tools on which we depend to keep us safe, but we still need to answer that most important of all questions: "How do I know that my protections actually are working as I expect them to?" That requires testing - smart testing with well-designed tools - and the skill and imagination to think like the enemy. There are several tools this month that help you do all of that.
Let's begin by looking at what one should be addressing with VA tools. That will help you make wise choices when you buy your QA tool kit. Some of these tools are rather pricey, so you must ask, "Are they worth the cost in my environment?" No matter how good the tool, and no matter what recognition we give it, if it isn't what you need in your environment, pass on to something that addresses your unique requirements.
Vulnerability and penetration testing are not the same, although they get closer every year. Vulnerability assessment is generic. Pen testing is specific. Many pen testers run a VA first and then use pen testing to attempt to exploit critical vulnerabilities. For most organizations, though, it is not quite as simple as that. There are so many dimensions to today's intrusions that the most important tool you have is your brain. You need to reason out the ways that an attacker can break into your systems. You need to decide in advance why an attacker would select you - low-hanging fruit, to make you part of a zombie botnet army, to steal money from you, or whatever other motive makes sense - and then think through how the attacker would achieve their objective.
Attacks against systems are campaigns in a cyber war that goes on every day. Often, there are multiple campaigns against you. They may start with phishing attacks and progress through back doors, trojans and planting other crimeware. Whatever the reason that you might become a target, you must think that through as you chose your defenses and the tools to test them. If you are a small business with limited resources, perhaps what you need is a simple auto scan that goes on regularly and is buttressed by an annual penetration test. If you are a larger company with skilled security professionals, you may want to look at a fairly complete tool set and perform your own regular VAs, following up with periodic pen tests. In either case - or the many permutations in between - you should select your tools accordingly.
Next, let's think a bit about what you should expect from these tools. First, there are so many new attacks appearing daily that there is no way that any company can keep up. You simply do the best you can and remember: Just because the latest zero-day appears on the horizon doesn't mean that your tools need to support it immediately. It will take time to work its way well into the wild, so concentrate on one big thing: Don't become low-hanging fruit.
Low-hanging fruit attracts attackers of all kinds, regardless of whether you think you have nothing worth stealing. At the least, they will use your systems as jumping-off points for upstream attacks. Upstream attacks can mean upstream liability, so think of your testing in those terms.
At the low end, your VA tools should be easily and, preferably, automatically updatable. They should be able to be set to run on schedule - automatically - and should send meaningful reports customized to the reader. That means that the CIO does not get a report full of geeky stuff while the remediation/patching team does not get useless charts with pretty colors and of little use in their tasks.
That should get you started and the tools this month can take you forward on the next steps to protecting your systems by breaking into them.