Commissum

Network Vulnerability Testing


Commissum’s monthly managed vulnerability testing ensures continued network security.

With about eight thousand vulnerabilities being discovered in commercial software annually, can you really afford to wait twelve months between penetration tests? While most vulnerabilities will not affect your organisation’s infrastructure, even if one percent impacts upon your environment, you could be exposed to twenty a quarter or almost seven per month on average.

Our managed monthly scanning is designed to complement full penetration testing, once this CREST level of detailed testing has established the impact of exploiting a vulnerability and breaching your defences.

By Way of Analogy

If your son comes in from the pub at two in the morning and leaves his keys in the door, that is a vulnerability. A vulnerability scan will find and report this, and will offer suggestions for mitigation such as “Remove his keys – but you need to get up at two in the morning to let him in”, “Install a swipe card system” or even “Kick him out of the house!”

A penetration tester, on the other hand, would go up to the door and turn the keys and handle, only to find your son had been sober enough to bolt the door from the inside; i.e. the “high” risk presented by the vulnerability has been mitigated. The tester would then take the keys and try the back door, and identify that the keys for his car are also on the key-ring, exposing this asset to theft. In other words, the vulnerabilities are assessed for potential exploitation to determine the true business impact and not just the theoretical vulnerabilities.

Our Monthly Managed Service is designed to follow on after the full penetration test has established the impact (the stolen car), and will check that the underlying vulnerability is mitigated. In the analogy above, it would show every month whether the keys were still in the door or had been removed (i.e. mitigated). It would also indicate if they returned after a period of absence. This perhaps corresponds to notification of a server that has been restored from backup and not subsequently patched, which would equate to an episode of binge drinking in the analogy.

The Managed Scanning Service is an ongoing check to ensure that the keys to your critical assets have not been left on display for attackers to steal, which can occur by accident as other infrastructure changes are carried out. A recent example of a successful outcome of this approach was the discovery of data records that were exposed publicly. This was not a problem during the penetration test, but only occurred after a later firewall upgrade. The security scanning service discovered this issue, which was quickly resolved before the exposure was able to be exploited by a malicious party.