The document discusses the key differences between vulnerability assessments and penetration tests, outlining when and how organizations should implement these assessments based on risk evaluation. It emphasizes the importance of understanding inherent risks and establishing a risk appetite to determine appropriate mitigation measures, including the use of third-party assessments. Additionally, it details the processes and methodologies involved in conducting both types of assessments, highlighting the objectives and deliverables for each.

1. AWA INTERNATIONAL
WHEN TO IMPLEMENT A VULNERABILITY
ASSESSMENT OR PENETRATION TEST:
A DISCUSSION IN THE KEY DIFFERENCES IN THE TWO TYPES OF
ASSESSMENTS AND GUIDANCE ON WHEN IS THE PROPER TIME TO
IMPLEMENT THESE THIRD-PARTY ASSESSMENTS BASED ON RISK
JANUARY 25TH, 2021
1

2. Table of Contents
■ How to Evaluate Risk?
■ What is a Vulnerability Assessment?
■ What is a Penetration Test?
■ Key Differences
■ When to implement?
2

3. 3
AWA is a division of IS Partners, LLC
▪ IS Partners has been In business since
2005
▪ Founded by former Big 4 auditors
▪ CPA firm registered with AICPA and
PCAOB
▪ Focus on Control Assessments
including:
▪ SOC Audits
▪ HITRUST Certification
▪ SSAE21

4. 4
AWA is a division of IS Partners, LLC
Focus on technology and technical
assessments including:
▪ PCI DSS Assessments
▪ Security Framework Assessments
(ISO27001, NIST, FISMA)
▪ Penetration Testing and
Vulnerability Assessments
▪ HIPAA Assessments
▪ Security Risk Assessments
▪ Cloud Security Assessments

5. T. Anthony Jones; MBA, QSA, CISA & CISM
Partner and the leader of AWA with more than 25
years’ of Audit and Security Experience.
Anthony has over 25 years of experience and has
worked with a variety of industries. Anthony has
extensive knowledge in IT consulting: he is also a
Certified Information Systems Auditor (CISA),
Certified Information Systems Manager (CISM),
Qualified Security Assessor (QSA), and Certified ISO/
IEC 27001 Lead Auditor designation holder with the
expert ability to accurately understand risk and offer
alternatives to current situations, develop actions
plans and cultivate longstanding client relationships.
5

6. Michael Mariano; HITRUST CCSFP
Michael is the Chief Information
Security Officer at IS Partners as well as
the leader of the penetration testing
practice for AWA International.
Michael has 15+ years’ experience in
internal IT operations with 7
years being involved in various levels of
IT auditing with experience with PCI
DSS, SOC 2, HITRUST CSF, Risk
Assessments and experience working
with Security Frameworks (such as ISO
and NIST).
6

7. JOSEPH CIANCIMINO: CISA
Joseph is a Manager in the IS Partners SOC
practice, providing clients with SOC 1/SOC 2
audit services, as well as other various IT
audit and consulting services.
Joseph has over 6 years’ experience
servicing clients in the Insurance, Banking,
Manufacturing & Distribution, Energy &
Utilities, and Financial Services industries.
7

8. Establishing a process for
evaluating risk
■ Establishing a risk
methodology is a key step
for many organizations to
develop an understanding
of the key risks their
organization is facing
■ Evaluation of likelihood and
impact of risk, using a
quantitative or qualitative
approach
8

9. Risk Assessment Process -
Methodology
9
Qualitative
Subjective measurements of
risk
Use variables such as: Low,
Medium, High
Quantitative
Objective measurements of
risk
Use numbering scheme
based on definitions set in
the Risk Management
methodology

10. Risk Assessment Process -
Identification
10
Inherent Risks
Before determining if a vulnerability assessment or penetration test is
the right choice for your organization, you will need to evaluate what
types of inherent risk your organization is facing:
Operational Risks
Financial Risks
Compliance Risks
Fraud Risks
Cybersecurity Risks

11. Risk Assessment Process -
Analysis
11
Mitigating Inherent Risk
With various types of risk at play – mitigating risk is a key responsibility for
senior management at many organizations.
Internal Controls for mitigation of risk come in many different forms:
• Intrusion Prevention Systems
• Firewalls
Preventative
Controls
• Monthly reconciliations
• Budget to Actual Comparisons
Detective
Controls
• Auto-correcting fields during data input
• Real-time replication for Disaster Recovery
Corrective
Controls

12. Risk Assessment Process -
Evaluation
12
Mitigating Inherent Risk
After evaluating the inherent risks your organization faces and the
controls in place to mitigate those risks, you are left with either a
qualitative or quantitative calculation of your residual risk.
Residual risk is the “risk remaining after risk treatment” (ISO
31000:2018)
But how much residual risk are you comfortable with accepting?

13. Risk Assessment Process –
Evaluation
13
Risk Appetite
Establishing internal guidelines for the acceptance of risk
helps establish a balance between supporting the business
needs and establishing controls for the prevention of risk.
By defining your organization’s risk appetite, you can help
meet that balance and establish an understanding to identify
when additional controls may be needed.

14. Risk Assessment Process -
Evaluation
14
Emerging Risks
The Information Systems Audit and Control Association (ISACA)
published its 2020 “State of Enterprise Risk Management”
report.
Key findings indicated that 29% of executives surveyed believe
Cybersecurity risk to the largest emerging risk area facing
organizations today.
Findings also indicated that 41% of executives surveyed believe
that Cybersecurity risk is difficult/very difficult to measure and
quantify.

15. Risk Assessment Process -
Evaluation
15
How to address residual and
emerging risks
If you’re in a position where you’re still facing residual and emerging
risks, and need additional mitigating measures, third-party assessments
often serve as a tool for additional mitigation to help reduce risk to
acceptable levels.
Two types of third-party assessments to help reduce Cybersecurity risk
include:
• Vulnerability Assessments
• Penetration Tests
But what are vulnerability assessments and penetration tests?

16. Major Hacks in 2020
Peekaboo Moments – January 2020 – Unsecured Database
Fifth Third Bank – February 2020 – Disgruntled Employee
MGM Resorts – February 2020 - Unauthorized Cloud Access
U.S. Marshals – May 2020 – Server Vulnerability
Cognizant – June 2020 – Ransomware
Ancestry.com – July 2020 – Unsecured Database
Instagram, TikTok & Youtube – August 2020 – Unsecured Database
Imperium Health – September 2020 - Phishing Attack
Pfizer – October 2020 – Misconfigured Cloud Database
Expedia, Hotels.com & Booking.com – November 2020 – Unsecured Database
16

17. Vulnerability Assessment
A vulnerability assessment is a
structured, point in time, review of
security weaknesses in an information
system that rates these weaknesses
based on severity levels.
17

18. Penetration Testing
A penetration test is an authorized, point
in time, simulation of a cyber attack
against a computer system with a goal of
identifying and exploiting vulnerabilities
in the computer systems, policies and
procedures surrounding the systems,
and people managing the systems.
18

19. ■ Vulnerability assessments find and measure vulnerabilities where a
penetration test will find, measure, and exploit the vulnerability to
discover the depth of vulnerability. This exploitation can lead to the
discovery of additional vulnerabilities that a vulnerability scan cannot
identify.
■ The testing phase of a vulnerability assessment takes minutes or hours,
but in a penetration test, takes days.
■ Vulnerability assessments are designed to be passive where a
penetration test can be as aggressive as your security controls allow.
19

20. VULNERABILITY ASSESSMENTS
20

21. Types of Vulnerability Assessments
■ External Vulnerability Assessment
– Public IP Space
– Publicly Accessible Sites
– VPNs
■ Internal Network Vulnerability Assessment
– Hosts (Servers, Workstations)
– Network Equipment (Routers, Switches, Firewalls, WIFI)
– Other (Phones, Printers, Cameras, Card Readers, IoT Devices)
■ Web Application Vulnerability Assessment
– Dynamic (Functioning Applications)
– Static (Code Review)
■ And more!
21

22. Steps to preform a Vulnerability Assessment
1. Determine Scope
– Entire Physical Sites, Specific Networks, Single Application, etc.?
2. Scan Assets
– Vulnerability Scanning Software
3. Analysis and Report Results
– Rate criticality of vulnerabilities
– Suggest remediation actions
4. Remediate Issues
5. Repeat
22

23. 23

24. How to use a Vulnerability Assessment
A vulnerability assessment should be part of
your companies Vulnerability Management
Program and used to track and prioritize the
vulnerabilities in your companies
Information Systems over a period of time.
24

25. Vulnerability Assessment Deliverables
25
Executive Summary (2-3 pages)
• PDF Document
• Date, Scope, Approach of
Assessment
• Number of vulnerabilities
across entire scope
Technical Report (50+ pages)
• Excel document of scanner
results
• Complete breakdown of
each vulnerability
• Remediation Suggestions

26. Vulnerability Classification
26
■ All publicly known vulnerabilities are cataloged on the
National Vulnerability Database (NVD) as Common
Vulnerabilities Exposure (CVE).
– https://nvd.nist.gov
■ CVE Details is a website which gathers CVE data from NVD
and several other prominent sources.
– https://www.cvedetails.com
■ CVE criticality is graded using the Common Vulnerability
Scoring System (CVSS) which is used to create a Base,
Temporal, and Environmental Score.

27. Common Vulnerability Scoring
System (CVSS) Explained
27
CVSS v1 (2005) – We don’t talk about version 1.
CVSS v2 (2007) – Risk Based and widely adopted but required too much
knowledge of the attack vulnerability to be practical.
CVSS v3 (2015) – Risk Based and aimed to more accurately reflected the reality of
the vulnerability in the real world.
CVSS v3.1 (2019) – Severity based and aimed to improve clarity of concepts

28. Common Vulnerability Scoring
System (CVSS) Explained
28
■ Base Score
– Static unchanging components of a vulnerability
– Does not change overtime
■ Environmental Score
– Based on specific environment the vulnerability is
found.
– Business Criticality vs Compensating Control
■ Temporal Score
– Based on ease of exploitation and vendor patching.
■ When a vendor patch is released, the score goes down.
■ When an exploit code is released, the score goes up

29. Common Vulnerability Scoring
System (CVSS) Explained
29

30. Penetration Testing
An authorized simulation of a cyber attack against a
computer system with a goal of identifying vulnerabilities in
the computer systems, policies and procedures surrounding
the systems, and people managing the systems.
■ Also known as a “Pen Test” or “Ethical Hacking”
■ Utilizes a phased based methodology
■ Point in time assessment
30

31. Types of Penetration Tests
Infrastructure
■ Internal Network
■ External IP Space
■ WIFI
31
Application
■ Windows Mac Software
■ Web Application
■ Mobile Application
Physical
■ Secure Facilities
Penetration Tests are scenario based
Black Box
As an attacker with zero
knowledge.
Grey Box
As an attacker with some
knowledge.
White Box
As an attacker with
complete knowledge.
Social
■ Phishing
■ Vishing

32. Testing Layers of Security
32
■ External Layer
■ Internal Layer
■ Application Layer
■ People Layer

33. Penetration Testing Frameworks
33

34. The phases of a Penetration Test
Phase 0 – Planning Authorization
Phase 1 – Information Gathering
Phase 2 – Vulnerability Detection
Phase 3 – Exploitation
Phase 4 – Reporting
Post Testing – Remediation Verification
34

35. Phase 0
■ Scope and timing finalized
■ Contracts are signed
■ Rules of Engagement completed
35
Planning Authorization

36. Phase 0 - Continued
Establishes:
■ Permission
■ Type of Testing
■ Scope & Timing
■ Sensitive Data Handling
■ Points of Contact
36
Rules of Engagement

37. Phase 1
37
Information Gathering
Open-Source Intelligence Gathering

38. Phase 2
38
Vulnerability Detection
▪ Host detection
▪ Security detection
▪ Port scanning
▪ Vulnerability scanning
▪ Vulnerability classification

39. Phase 3
39
Exploitation
▪ Vulnerability Verification
▪ False Positive Elimination
▪ If Exploitation is possible
▪ Establish access to system or resource
▪ Attempt to pivot to additional systems

40. 40
Executive Summary (2-3 pages)
• PDF Document
• Date, Scope, Approach of
Assessment
• Number of vulnerabilities
across entire scope
Technical Report (50+ pages)
• Excel document of scanner
results
• Complete breakdown of
each vulnerability
• Remediation Suggestions
Phase 4
Reporting
Attack Narrative (50+ pages)
• PDF Document
• Set by step narrative of the
attack

41. Post Testing
41
Third Party Remediation Verification
▪ Up to 60-days after report delivery
▪ Retesting of all vulnerabilities identified
during testing.

42. Questions and Answers
■ Please send any Risk Assessment,
Vulnerability Assessment, or Penetration
Testing related questions from this
presentation
■ If you think of a question after our
webinar, please email us at:
info@ispartnersllc.com
42