How Can Penetration Testing Help with Risk Assessment and Management?

penetration testing rmf featured

Risk management is emerging as a necessary practice for large enterprise businesses and SMBs alike. It isn’t the case that you can simply plug into a cloud provider, operate a few servers on-prem and install firewall and malware protection to call it a day. Risk management is a real process that requires insights into your systems and their operations, and practices like penetration testing and vulnerability scanning can help with that process. 


What Is Risk Management?

In technical terms, risk management is the process of assessing, evaluating and attending to how your organization can or cannot respond to relevant cybersecurity threats. Central to the concept of risk management is that no IT system can be completely secure against all threats for a few reasons

  • Limitations in technology: Not every security control or protection measure can protect against all threats, and different technologies or versions of technologies have different capabilities to prevent attacks.
  • Complex IT infrastructure: As your systems become more complex and interconnected, new and unforeseen threats naturally arise.
  • Business objectives: Your company must remain flexible, resilient and agile. Not every security configuration promotes that kind of operation, nor do they always fit into logistical or cost models.
  • Compliance requirements: Outside of specific business goals, you will, depending on your industry, face the strict fact that compliance requirements must be addressed. 

Risk management, therefore, is the process of analyzing your IT system to understand how different configurations and implementations introduce or mitigate your risk of attack. Accordingly, rather than look to security engineers as capable of building a risk-free environment, you must take a hard and informed look into what level of risk you are willing to take into consideration of other factors, like cost, business goals and other logistical questions. 

To best understand their risk profile, organizations will typically deploy risk management processes regularly to understand how risk impacts their systems if their levels of risk have changed and how to address or remediate changes in potential attack risk due to emerging threats or changes to technology or technical configurations. 

There are several methodologies to address risk, with perhaps the most well-known process defined by NIST Special Publication 800-37 as the Risk Management Framework (RMF). Under RMF, risk management is defined as a six-step process:

  1. Identify: At this step, you identify all your relevant technical systems alongside any administrative or physical processes that could impact security. This includes all security systems, access points, user access permissions, network configurations… literally anything that could allow attackers or insider threats to compromise your systems. At this step, you’ll also determine the inherent risks of attack to these systems.
  2. Select: With an understanding of your system, you now must select the proper security controls necessary for your system. The selection of controls will adhere to the types of technologies at work, any compliance obligations you have and the level of risk that you will feasibly take on.
  3. Implement: At this stage, you will implement your selected controls, enact any policies or procedures around those controls and align them to your business operations and compliance standards.
  4. Assess: Create benchmarks, take measurements and observe the functioning of your implementations to determine the efficacy of both the controls and their use.
  5. Authorize: Using reports and documentation from the previous stage, authorize IT and business leaders to make risk-based decisions informed by the actual operations as they work in real-time.
  6. Monitor: Continuously monitor the system in the face of evolving security threats, technical upgrades and the addition of new or different technologies. Make continuing risk-based decisions to continue the process of identification, implementation and assessment. 

As may be expected, accurate and timely information is paramount to the effectiveness of this model. Fortunately, there are several avenues to get this information. 


What Are Penetration Testing and Vulnerability Scanning?

penetration testing rmfSystem risk assessment is, depending on the complexity of a system, often a discipline unto itself. While there are several methods to assess system vulnerability, two stand out as effective and accurate, particularly for systems handling sensitive information:

  • Vulnerability Scanning: A test, often automated, that identifies and reports on existing vulnerabilities in a system and provides documentation on potential steps for remediation. Scans can be scheduled regularly, and higher quality scans can look for tens of thousands of potential security gaps based on different compliance frameworks and common best practices.
  • Penetration Testing: A human-directed test wherein a professional security expert or benevolent attacker (colloquially known as a “white hat” hacker) performs simulated attacks on vulnerable systems to determine weaknesses. These tests are often more thorough and comprehensive, covering potential attack surfaces outside of technical systems (for example, targeting employees through phishing or social engineering alongside technical attacks). A tester, rather than simply cataloging vulnerabilities, will exploit them to see how deep into a system they can get–thus exposing several layers of interconnected systems. 

Penetration testing is often the more involved test in that it will usually be more structured, focused and rigorous. Additionally, a pen test will usually include a solid picture of how connected applications, networks or devices can expose your systems to risk in unexpected ways. 


Defining Risk Management Objectives with Real Insight

As mentioned above, one of the most crucial areas of an effective risk management practice is information. More specifically, risk management at any level calls for your organization to plan a risk management strategy that outlines the acceptable types of risk you face, what your overall risk posture should be, how your processes, operations and technologies function within that posture and how you plan to regularly assess and re-evaluate your strategy. 

Within the RMF process, several steps include some sort of evaluative process, particularly the “Assess” step. It stands to reason then that your organization has a robust assessment mechanism in place to support information gathering efforts at any stage of your risk management process. 

Penetration testing offers an in-depth look at your system, its vulnerabilities and potential risks. With a solid penetration test, you will have information on hand to provide real insight into what your actual risk profile is. Rather than rely on product documentation or operational reports, you can get an “on the ground” view of what your real vulnerabilities are. That, in turn, gives you incredible insight to make risk-based decisions about your system. 

Pen tests are often involved, however, and not something many organizations do in the short term. They take lengthy planning, structuring and deployment times to provide reliable results. In that case, vulnerability scans can provide a more regular “finger on the pulse” of your system. 

Both vulnerability scans and penetration testing, used correctly, can support accurate assessment, monitoring and decision making around the risk inherent in your organization, which in turn ensures that you make better, more informed decisions about compliance, technology implementation and configuration updates. 


Make Risk Management a Part of Your Business with Continuum GRC

We understand that many businesses can contribute to their industries in unique ways but may not have the time or expertise to manage cybersecurity, governance, or risk on their own. That’s why Continuum GRC offers automated GRC audits and expert consulting through our custom, cloud-based ITAM system. We can help you implement state-of-the-art security practices without compromising your business operations and turn compliance audits from costly endeavors to simple and streamlined aspects of your business. 


Preparing for Risk Management and Compliance Audits?

Call Continuum GRC at 1-888-896-6207 or complete the form below. 


Continuum GRC