Many businesses today are faced with some compliance standard such as PCI, HIPAA, SOX, ISO, GPDR. In order to comply with these standards, you will need to engage a 3rd party auditing firm for an External and Internal Vulnerability Assessment. Par3.IT has years of experience in both performing these assessments as well as remediating assessments, and we can tell you that not all security assessments are the same. So, when looking for a 3rd party auditing firm, ask the following questions:
Will they perform Black Hat or White Hat testing? Most auditors will ask you to “whitelist” their IP address or drop your Intrusion Prevention System so that they can perform their test (this is known as “White Hat” testing). But what are their findings worth if your primary defenses are down? On the other hand “Black Hat” testing is done without any changes to your security, so the test would more closely simulate how the cyber criminal would see your network. Auditors will complain that this method of testing is stopped pretty quickly by modern Intrusion Prevention Systems and therefore provide little value. If feasible, consider running both a Black Hat and a White Hat test.
Do they assess the full subnet or just known hosts? Sometimes the auditor will request a list of host IP addresses to scan. This will save them time on the front end, but then they really aren’t doing their job. What if the list is incomplete or inaccurate? The auditor should scan a full subnet to make sure no hosts are inadvertently missed.
Will they assess all ports or just well-known ones? In order to reduce the scan time, the auditor may decide to only audit “well known” ports such as HTTP, FTP, SSL, etc. There are 1024 “well known” ports, but there are a total of 65,536 possible ports. If they only scan the “well known” ports, they may miss malware and unauthorized services that hide outside of the “well known” ports.
Will they assess all devices or just PCs and servers? Auditors with limited tools may only be able to successfully scan Windows-based PCs and servers. Make sure your auditor is capable of scanning and identifying all device types (PCs, servers, switches, routers, WAPs, printers, etc.) and operating systems (Windows, Linux, Mac, VMWare, Xen, etc.).
So not all audits are equal. Before signing an engagement, make sure you know the details of the services provided. You may win the compliance battle by showing off your auditor’s report, but lose the cybercrime war by receiving less than comprehensive results from the auditor.