Security Assessments 101

“An ounce of prevention is worth a pound of cure.”

Benjamin Franklin

Security assessments are an integral part of any security program. Some are required based on a given organization’s industry, but all assessments aim to provide an understanding of gaps in a security program.

This guide breaks down the different types of assessments available, what value they provide, which ones are required, and how they overlap.

Types of Security Assessments 

Security assessments and the use of effective preventive measures are the best ways to validate the security and overall quality of your network, its infrastructure, and applications. Many security assessments are needed to boost your security posture, and some are needed to maintain compliance with governing bodies.  

Assessments help your business security in a few ways. Some of them lift your security posture and confirm that your network is secure from certain known risks.  

When considering the security of networks, it’s essential to perform the necessary assessments that help uncover weaknesses before a hacker finds them.

Assessments generally include these methodologies and evaluations:

Internal assessment

• Targeting internal assets from inside the organization
• Emulates what would happen if a malicious agent (malware, disgruntled employee, etc.) got inside your network.
• Uncovering vulnerabilities and misconfiguration on internal services/devices, network design/segmentation, identity management (e.g., Active Directory setup), endpoint protection (EDR/AV evasion, etc.)
• Attempting to escalate to Domain Admin, compromise sensitive data, etc.
• Remote testing is done by sending a bootable pen-drive. This pen-drive connects back to our secure grid, and we launch testing from that pen-drive.

A customer of an internal assessment would provide:

• Internal IP Range(s) in Scope + Pen-drive Mailing Location
• PCI Related: Delimit which IP(s) in Scope provided are part of the CDE.

External assessment

• Targeting External Assets from Public Internet
• Round of OSINT to obtain catch leaks, stolen credentials, etc.
• Uncovering Vulnerabilities & Misconfiguration on external services/devices
• Checking for security issues with Firewalls, DNS Servers, Load Balancers, etc.
• Attempting to break perimeter, obtain unauthorized access, compromise sensitive info.

A customer of an external assessment would provide:

• IP(s)/URL(s) of External Assets in Scope
• PCI Related: Delimit which IP(s) in Scope provided are part of the CDE (Cardholder Data Environment).

Application

• More In-Depth Testing of External Web Applications and their Functionalities
• Uncovering issues ranging from typical ones (XSS, SQLi, CSRF) to logic/code abuse.
• Unauthenticated / Authenticated

A customer of an application assessment might provide:

• IP(s)/URL(s) of web apps in Scope
• Credential(s) for deeper authenticated testing of desired web apps

Social Engineering

• Targeting the Employees of the Organization
• Testing phishing controls and employee social engineering education.
• Campaigns are crafted based on information gathered on organization/current events/etc.

A customer being assessed on social engineering resistance might provide:

• 30 Email Addresses
• 30 Phone Numbers
• If phone numbers are personal devices, we require a copy of your BYOD policies

---

Red Team vs. Blue Team vs. Purple Team

Red, Blue and Purple Team assessments exist to test security systems to determine your organization’s and its systems preparedness and responses against an attack. Red and Blue Team assessments differ but work towards similar goals.

When we refer to Purple Assessments it’s when the Red & Blue Teas work together.

Red Team Assessments

During a Red Team Assessment, we take a holistic, big picture look at our organization from the perspective of a would-be attacker. These assessments occur over time and result in a detailed report of all findings.

What is a Red Team Assessment?

A Red Team Assessment is when the team takes on the role of black-hat hackers to launch an attack against an organization to attempt to gain access to their systems. They are there to find the security gaps, find the backdoors and exploit the vulnerabilities.

The Red Team will research current cyberattacks and replicate all possible attacks that might hit an organization. These assessments are an integral part of understanding of attack vectors the organization may encounter.

It lets you see how real-world attackers could use a combination of what seem to be unrelated exploits to infiltrate your network. Red Team assessments are done without the organization’s staff being aware that they are undergoing an assessment.

The team running the assessments can be hired guns or staff borrowed from other departments.

Some of the assessments included are:

• Port Scanning 
• Penetration Testing 
• Vulnerability Assessments 
• Physical Security Assessments, such as card cloning and tailgating 
• Social Engineering, such as Phishing 

Red Team Assessment Benefits?

• Determining if an organization is prepared to defend against a cyber attack
• Is your security adequate in a test against people and processes
• Weeding out security vulnerabilities
• Improve response procedures effectiveness
• Risks and vulnerabilities can be addressed and mitigated
• Develop a road map for future security approaches

While all mature organizations are suggested to run Red Team Assessments, there are no current industry requirements.

Blue Team Assessments

The blue team differs from red team in a few ways.

This team responds and mitigates problems as they occur or are seen. It is responsible to regularly analyze your systems to assess the effectiveness of all the procedures, policies, and security tools in place and identify vulnerabilities. 

What is a Blue Team Assessment?

A Blue Team assessment is done within organizations with staff knowing and thereby access to systems can be given deeper dives.

Some of the assessments included are:

• Security Monitoring (Networks, devices, and systems) 
• Risk Assessment 
• Network Segmentation 
• Deploy endpoint Detection and Response Systems 
• Keep All Enterprise Software Patched and Current 
• Reverse Engineering Cyber Attack Scenarios 
• Incident Response 
• Conducting Internal and External Vulnerability Scans 
• Create, Configure and Enforce Firewall Rules 
• Post-breach to Develop Remediation Policies that Return Systems to Normal Operations 

Blue Team Assessment Benefits?

As the Blue Team conducts their mitigations during the assessments, they will note the gaps in the security operations that need to be corrected. It helps the internal team doing detection and response.

• Identify security gaps and misconfigurations in the existing security systems
• Improve security strength to better detect attacks
• Enhance breakout time
• Provide healthy competition for security teams that build cooperation among departments and teams
• Improve awareness about all risks human and systems that can create compromises in an organization’s security
• Improve the skills and maturity of an organization’s security capabilities

While it’s recommended that all mature organizations run Blue Team Assessments, there are no current industry requirements.

Purple Team Assessments 

 “Purple Team” is somewhat of a deceptive term. It’s not really a distinct team, but when pairing the red team and blue team together, it’s called a Purple Team assessment. In essence, the Purple Team loops feedback between the two teams. The goal is to maximize capabilities while getting continuous feedback and knowledge. 

What is a Purple Team Assessment?

Purple team assessment is a Red team attack that not only looks at where the gaps are in security systems, but also the organization’s response to the attack and how they perform.

Purple team assessments help the security team boost their vulnerability detection effectiveness, threat hunting, and network monitoring. 

Purple Team Assessment Benefits?

If teams debrief all stakeholders on findings following each assessment it provides all parties with a clear picture of where their security stands.

The debrief should include which assessments were run as well as their outcomes. Then the organization can close the gaps and build defenses that increase security posture overall.

---

Penetration Testing 

“Penetration Testing” and “Red Teaming” are often used interchangeably, which is inaccurate.  

Penetration Testing involves viewing a network, device, application, or physical security from the perspective of a bad actor. The goal is to discover cybersecurity vulnerabilities.  

What is Penetration Testing?

Penetration Testing or “pen test” is an emulation of what a bad actor could do when targeting an organization. Its goal is to find vulnerabilities affecting assets and find out how to leverage those to breach perimeters, obtain sensitive data, take over hosts, or cause damage.

A good penetration tester can determine: 

• Areas a hacker may target 
• How they would attack a target 
• How the target’s security would hold up 
• The scope of a possible breach 

The depth of testing can vary, from resilience against low skill “script kiddies” to professional nation-state level attackers. The scope can be adjusted to meet the organization’s needs.

Types of Penetration Test Assessments

External Pen Test

Targets external assets from the Public Internet – a real world attack assessment.

Internal Pen Test

Targets internal assets from inside the organization. This emulates what would happen if a malicious agent (malware, disgruntled employee, etc.) got inside the network. It explores scenarios such as successful phishing attacks and malicious physical media like a found USB drive that could introduce malware.

Web Application Pen Test

In-depth testing of web application(s), examination of functionality with search for vulnerabilities such as the typical ones (XSS, SQLi, CSRF) to the more complex code/logic abuse which are frequently missed by groups.

Web application tests can be performed both authenticated or unauthenticated. Generally, we recommend both.

Applications are also evaluated against frameworks such as the OWASP Top 10 which inventories common attacks on known libraries or CMS platforms, e.g. WordPress, Joomla, Drupal, et al.

Mobile Pen Test

This is the same scope as the Web Application Pen Test, but for native mobile applications that may rely on extensive API-accessible web services.

SCADA Pen Test

SCADA is a purpose-built control system for factories, power plants, utilities (such as municipal water systems), or facilities that require some level of orchestrated automation in processes and data acquisition. The systems can be complex and networked, but also may not benefit from frequent updating or security-oriented maintenance.

IoT and Hardware Pen Test

This is a test of the entire IoT ecosystem in place including web applications, mobile applications, hardware, firmware, wireless communications (Wi-Fi, Bluetooth, Zigbee) and their interactions. Exploits can often be a clever usage of two or more of these elements.

Penetration Testing Assessment Benefits

Why should you run Pen Test assessments?

Penetration Testing is an integral part of any security program. It’s still prudent to consider the benefits it may provide, and there are many. Here are a few:

• Allows prioritizing vulnerabilities
• Allows mitigating vulnerabilities
• Reveals strengths of the network
• Identifies controls that should be implemented
• Allows enforcement of security plan
• Identifies internal processes that are weak
• Improves overall security position
• Helps ensure teams are well-trained on detecting and responding to threats.

The key take away is evaluating readiness in preventing and responding to cyber threats.

Which Organizations are Required to Perform Penetration Testing Assessments?

Many industries require organizations to conduct penetration testing to maintain compliance. For example:

• health organizations
• financial institutions
• businesses accepting or processing debit/credit card payments
• infrastructure sector businesses under NERC guidelines.  

---

Threat Hunt 

After a penetration test, an organization will often move on to a Threat Hunt assessment as a Phase 2 activity. While Pen Testing is often for compliance, a threat hunt assessment provides assurance and peace of mind.   

The practice of proactively looking for threats which may be hiding undetected on a network is known as a Threat Hunt assessment.  

What are Threat Hunt Assessment Methodologies?

Conducting Threat Hunt assessments begins with the premise that adversaries are already present in assets under review. Each assessment seeks out the unusual activity that may indicate presence of malicious actor(s). There are a few categories these investigations fall into:

1. Hypothesis-Driven
2. Indicators of Attack or Compromise (IoC)
3. Advanced Analytics

Each of these combines threat intelligence with advanced tooling that proactively work to protect systems and data.

Threat Hunt Assessment Benefits?

New threats continue to challenge business security teams. Each new occurrence comes with an increase of severity and cost. Offensive, proactive approaches are the newest strategy and are proving to be more effective.

Let’s look at some of the possible benefits of threat hunting:

• Uncover security events proactively
• Enhance threat response time
• Reduce threat investigation time
• Improve threat mitigation
• Reduce false positives and the efficiency of the SOC
• Reduce damage and risk to the organization

---

Assessments Needed For Industry Compliance 

Many industries require a business to meet compliance standards by passing specific assessments. Each one has set requirements for the assessments.

1. PCI DSS Audit Assessment 

Businesses processing a threshold number of credit card sales must conduct PCI QSA Audit Assessments on their systems for compliance. Businesses with more than six million credit card transactions per year are required to undergo these assessments annually.

Who Governs It?

The PCI DSS Assessment is run by the Payment Card Industry (PCI) Data Security Standards (DSS) organization. It works with merchants and financial institutions to develop the standards for security policies, ongoing processes, and technologies that keep their systems safe and secure from the theft of cardholder information and breaches.

The PCI organization also works with vendors to help them create secure payment solutions.  

PCI DSS Assessment Benefits

Ensuring compliance with PCI DSS requirements can save a business in a few ways:

• Keep brand, reputation, and business intact
• Build trust with customers
• Meet global standards
• Keep security a priority
• Establish a baseline for other regulations
• Prevent data breaches from occurring

What’s more, businesses that don’t have a Level 1 Assessment performed by a QSA will face fines and subsequent penalties if there is a data breach.  

2. HIPAA Assessment 

Heathcare sector businesses are required to conduct security assessments to ensure they are compliant with the industry’s physical, administrative, and technical safeguards, defined under HIPAA. 

While most people know HIPAA is for doctors’ offices, medical practices, and hospitals, with the rise of telemedicine HIPAA now includes new rules that govern virtual healthcare businesses.

Who Governs It?

The Health Insurance Portability and Accountability Act governs these specific assessments. The purpose of this assessment is to keep patient data safe as it traverses multiple systems and viewers. The HIPAA assessment clarifies if the organization’s protected health information (PHI) could be vulnerable.

HIPAA Assessment Benefits

Being HIPAA compliant comes with a few benefits for the organization and executives. Here are a few:

• Protection from PHI losses
• Enhanced patient well-being awareness
• Patient safety culture development
• Improved satisfaction ratings from patients and families
• Differentiates the organization’s brand and improves its security position
• Reduces OCR liability for the organization and executives

Businesses not in compliance can be fined based on the level of negligence,  up to $1.5 million per year.  

3. SOC 2 Assessment 

For security practitioners, SOC 2 is a framework that applies to all technology services or SaaS companies that use the cloud to store their customer data. It ensures that you have controls and procedures that are effective at keeping customer data private and secure.  

Who Governs It?

SOC 2 is a voluntary assessment and was developed by the American Institute of CPAs (AICPA). It is based on a few specific Trust Services Criteria such as availability, security, processing integrity, confidentiality, and privacy. 

A SOC 2 report is usually customized to fit the requirements of your organization. There are two types of reports: 

• Type 1:  Details the systems of the business and whether the design is compliant with the related trust principle 
• Type 2:  Covers operational efficiency of the systems in place 

SOC 2 Assessment Benefits

Being SOC 2 compliant helps build trust in a brand by making information security a priority. On-site audits and maintaining strict compliance requirements ensure certain sensitive data is being properly handled.  

4. HITRUST CSF Assessment 

Healthcare organizations know that securing their applications and infrastructure is essential to their business reputation and growth.

The HITRUST CSF was derived from many other frameworks, standards, and control points such as HIPAA, NIST, OSP, PCI, FTC, HITRUST, and Corbit to address challenges in security, regulatory and privacy facing organizations. 

Who Governs It?

HITRUST made and maintains the CSF through collaboration with many information security and technology leaders.

Its creators employed a risk-based approach for healthcare businesses to respond to security, privacy, and regulatory challenges they were facing concerning HIPAA. 

The model is working well for them, and HITRUST CSF is now seen as the gold standard for HIPAA cybersecurity. 

HITRUST CSF Assessment Benefits

There are many benefits to being HITRUST CSF compliant, some of which include:

• Meeting client and customer requirements
• Audit time reduction
• Improved security posture
• Clarification of business risk and growth opportunities

In essence, the HITRUST CSF reduces risk, complexity, and cost while boosting the organization’s security posture.

5. CMMC – Cybersecurity Maturity Model Certification 

In January 2020, the US Department of Defense announced the start of the CMMC. 

This maturity model comes from a collection of best practices used to determine how organizations progress on the scale of security “maturity” and defines levels of certification and aptitude. 

The Department of Defense uses this assessment to measure their defense contractors’ capabilities, sophistication, and readiness for cybersecurity. 

Who Governs It?

The US Department of Defense implemented this assessment to standardize cybersecurity practices for the fed’s defense industrial base (DIB). 

The framework at its highest level is an amalgamation of processes, inputs, and other frameworks from existing cybersecurity standards such as NIST, DFARS, and FAR. 

CMMC Assessment Benefits

The best benefit of the CMMC Assessment compliance is the boost to:

• Controlled Unclassified Information (CUI)
• Intellectual property (IP) within the supply chain of the US Defense Industrial Base (DIB)
• Maintaining the security and safety of Federal Contract Information (FCI)

While organizations who want to continue their work with the DoD know they need to meet CMMC requirements before 2025, this is not the only reason to get certified. Certification also helps to reduce risks against cyber threats due to the cybersecurity standards, controls, nest practices that are implemented throughout the process and across several maturity levels.