Security assessments are an integral part of any security program. Some are required based on a given organization’s industry, but all assessments aim to provide an understanding of gaps in a security program.
This guide breaks down the different types of assessments available, what value they provide, which ones are required, and how they overlap.
Types of Security Assessments
Security assessments and the use of effective preventive measures are the best ways to validate the security and overall quality of your network, its infrastructure, and applications. Many security assessments are needed to boost your security posture, and some are needed to maintain compliance with governing bodies.
Assessments help your business security in a few ways. Some of them lift your security posture and confirm that your network is secure from certain known risks.
When considering the security of networks, it’s essential to perform the necessary assessments that help uncover weaknesses before a hacker finds them.
Assessments generally include these methodologies and evaluations:
Internal assessment
- Targeting internal assets from inside the organization
- Emulates what would happen if a malicious agent (malware, disgruntled employee, etc.) got inside your network.
- Uncovering vulnerabilities and misconfiguration on internal services/devices, network design/segmentation, identity management (e.g., Active Directory setup), endpoint protection (EDR/AV evasion, etc.)
- Attempting to escalate to Domain Admin, compromise sensitive data, etc.
- Remote testing is done by sending a bootable pen-drive. This pen-drive connects back to our secure grid, and we launch testing from that pen-drive.
A customer of an internal assessment would provide:
- Internal IP Range(s) in Scope + Pen-drive Mailing Location
- PCI Related: Delimit which IP(s) in Scope provided are part of the CDE.
External assessment
- Targeting External Assets from Public Internet
- Round of OSINT to obtain catch leaks, stolen credentials, etc.
- Uncovering Vulnerabilities & Misconfiguration on external services/devices
- Checking for security issues with Firewalls, DNS Servers, Load Balancers, etc.
- Attempting to break perimeter, obtain unauthorized access, compromise sensitive info.
A customer of an external assessment would provide:
- IP(s)/URL(s) of External Assets in Scope
- PCI Related: Delimit which IP(s) in Scope provided are part of the CDE (Cardholder Data Environment).
Application
- More In-Depth Testing of External Web Applications and their Functionalities
- Uncovering issues ranging from typical ones (XSS, SQLi, CSRF) to logic/code abuse.
- Unauthenticated / Authenticated
A customer of an application assessment might provide:
- IP(s)/URL(s) of web apps in Scope
- Credential(s) for deeper authenticated testing of desired web apps
Social Engineering
- Targeting the Employees of the Organization
- Testing phishing controls and employee social engineering education.
- Campaigns are crafted based on information gathered on organization/current events/etc.
A customer being assessed on social engineering resistance might provide:
- 30 Email Addresses
- 30 Phone Numbers
- If phone numbers are personal devices, we require a copy of your BYOD policies
Red Team vs. Blue Team vs. Purple Team
Red, Blue and Purple Team assessments exist to test security systems to determine your organization’s and its systems preparedness and responses against an attack. Red and Blue Team assessments differ but work towards similar goals.
When we refer to Purple Assessments it’s when the Red & Blue Teas work together.
Red Team Assessments
During a Red Team Assessment, we take a holistic, big picture look at our organization from the perspective of a would-be attacker. These assessments occur over time and result in a detailed report of all findings.
What is a Red Team Assessment?
A Red Team Assessment is when the team takes on the role of black-hat hackers to launch an attack against an organization to attempt to gain access to their systems. They are there to find the security gaps, find the backdoors and exploit the vulnerabilities.
The Red Team will research current cyberattacks and replicate all possible attacks that might hit an organization. These assessments are an integral part of understanding of attack vectors the organization may encounter.
It lets you see how real-world attackers could use a combination of what seem to be unrelated exploits to infiltrate your network. Red Team assessments are done without the organization’s staff being aware that they are undergoing an assessment.
The team running the assessments can be hired guns or staff borrowed from other departments.
Some of the assessments included are:
- Port Scanning
- Penetration Testing
- Vulnerability Assessments
- Physical Security Assessments, such as card cloning and tailgating
- Social Engineering, such as Phishing
Red Team Assessment Benefits?
- Determining if an organization is prepared to defend against a cyber attack
- Is your security adequate in a test against people and processes
- Weeding out security vulnerabilities
- Improve response procedures effectiveness
- Risks and vulnerabilities can be addressed and mitigated
- Develop a road map for future security approaches
While all mature organizations are suggested to run Red Team Assessments, there are no current industry requirements.
Blue Team Assessments
The blue team differs from red team in a few ways.
This team responds and mitigates problems as they occur or are seen. It is responsible to regularly analyze your systems to assess the effectiveness of all the procedures, policies, and security tools in place and identify vulnerabilities.
What is a Blue Team Assessment?
A Blue Team assessment is done within organizations with staff knowing and thereby access to systems can be given deeper dives.
Some of the assessments included are:
- Security Monitoring (Networks, devices, and systems)
- Risk Assessment
- Network Segmentation
- Deploy endpoint Detection and Response Systems
- Keep All Enterprise Software Patched and Current
- Reverse Engineering Cyber Attack Scenarios
- Incident Response
- Conducting Internal and External Vulnerability Scans
- Create, Configure and Enforce Firewall Rules
- Post-breach to Develop Remediation Policies that Return Systems to Normal Operations
Blue Team Assessment Benefits?
As the Blue Team conducts their mitigations during the assessments, they will note the gaps in the security operations that need to be corrected. It helps the internal team doing detection and response.
- Identify security gaps and misconfigurations in the existing security systems
- Improve security strength to better detect attacks
- Enhance breakout time
- Provide healthy competition for security teams that build cooperation among departments and teams
- Improve awareness about all risks human and systems that can create compromises in an organization’s security
- Improve the skills and maturity of an organization’s security capabilities
While it’s recommended that all mature organizations run Blue Team Assessments, there are no current industry requirements.
Purple Team Assessments
“Purple Team” is somewhat of a deceptive term. It’s not really a distinct team, but when pairing the red team and blue team together, it’s called a Purple Team assessment. In essence, the Purple Team loops feedback between the two teams. The goal is to maximize capabilities while getting continuous feedback and knowledge.
What is a Purple Team Assessment?
Purple team assessment is a Red team attack that not only looks at where the gaps are in security systems, but also the organization’s response to the attack and how they perform.
Purple team assessments help the security team boost their vulnerability detection effectiveness, threat hunting, and network monitoring.
Purple Team Assessment Benefits?
If teams debrief all stakeholders on findings following each assessment it provides all parties with a clear picture of where their security stands.
The debrief should include which assessments were run as well as their outcomes. Then the organization can close the gaps and build defenses that increase security posture overall.
Who is NCI and how we can help!
If you are looking for a proven IT service provider, Network Connections has all the solutions you're looking for. We offer your business managed IT services, mobile or remote workplace, Microsoft cloud services, managed cybersecurity, and hosted VoIP solutions.
Contact us today, and find out how we can help your business.