Data security is the process of assessing and implementing controls to protect digital assets and reduce risk. Digital assets may include…
You can implement social engineering awareness training by developing policies, defining resources and toolsets, creating phishing…
The top 10 vulnerability management metrics you should be measuring include:
Get a step ahead of your cybersecurity goals with our comprehensive templates.
Reporting the results from vulnerability scanning without a set of clearly defined metrics is an issue many organizations face today.
Presenting vulnerability reports to senior management without key metrics will also limit your ability to effectively communicate the overall risk of your organization.
Learn More: Cybersecurity Metrics And KPIs CISOs Use To Prove Business Value
Faulty reporting of vulnerability metrics not only creates blind spots for your security and infrastructure team, but your executive leadership and stakeholders will not understand the true value of the vulnerability program and will question the return on this security investment.
In this article, we will help you identify and define the top key metrics that your organization can implement to track the progress and state of your vulnerability and patch management programs.
We will also discuss the differences in KPI’s and demonstrate how PurpleSec can help you measure and report on successes.
Let’s now take a look at why vulnerability metrics are critical to your program.
Vulnerability metrics are critical to the successful measurement of your vulnerability management program.
They measure the status of your remediation strategy and patching effectiveness.
Without a consistent system of reporting the status of your program, the likelihood of exposure to a data breach increases as reported in recent breach statistics.
When considering which metrics to report, the approach should not be to simply gather statistics and charts, but it should focus on prioritizing remediation efforts on of your most critical systems and applications.
The steps to gather the right metrics for your organization will take care planning by your IT and security teams.
This can be accomplished by understanding the importance of gathering metrics.
Note the following four areas that can help you get started:
Metrics quantify the state of risk of your organization into a format your teams and stakeholders can understand.
The right metrics can also elevate risk awareness and understanding for your business leaders to support the vulnerability management program.
A consistent program for gathering metrics can help your organization plan for reducing risk each time a new application or system is introduced into the environment.
This approach can also evaluate if business objectives are met and if additional resources are required.
If metric reporting is already an established process of your vulnerability program, your internal or third-party audits will more than likely result in success.
NIST and CMCC compliance requirements can help you identify weaknesses in your vulnerability program.
Metrics can help pinpoint areas of risk within key business applications or at the development stage.
Once identified, your leadership teams can determine where and if additional resources are needed to reduce risk or close gaps within the system
Depending on the type of vulnerability scanner, a few of these metrics may already be pre-built into the reporting engine.
If you choose to customize your report, review the context of each metric and select as needed to fit your organization’s needs.
This important metric reveals how responsive your team reacts to the results of the reported vulnerabilities.
This metric should be consistently low since the security team is accountable for delivering the message and action plans for remediation to business owners.
Mean time to remediation should be based on a documented SLA defined in your Vulnerability Management Policy.
The severity of the vulnerability should have a corresponding relative or an absolute period of time for planning and remediation.
This value is usually automatically calculated from the vulnerability report. This score illustrates the cumulative risk of your vulnerabilities per severity level, i.e. Critical, High, or Medium.
If your organizations decide not patch a specific or group of vulnerabilities within a specified time period, this is an acceptance of risk.
Acceptance of risk should be tracked, scored, and reported to help the organization understand the potential for exposure and the risk that has been accepted.
The vulnerability age is the number of days since a vulnerability was publicly disclosed. Tracking this metric will help your organization create remediation plans that aligns with your SLA.
Your external internet facing applications inherently are at highest exposure to outside threats compared to internal. An organization should have separate scanners for each environment.
Although an external scan has high priority, internal scans should be prioritized as well due to the potential of a threat actor entering your network and exploiting a threat is always probable.
A remediated vulnerability that returns on the same or different asset may indicate a problem with the baseline configuration or lack thereof.
Tracking this metric continuously will enable your infrastructure teams to closely review process errors or system configuration issues.
Total risk remediated is a key metric that illustrates the effectiveness of your vulnerability management program to your IT and executive management teams.
When your total risk remediation is trending upward continuously, this may demonstrate to your business stakeholders the effectiveness of your security investment.
This metric identifies the number of assets that should be patched. The vulnerability management tool should have auto discovery functionality to detect new systems on the network.
Tracking this metric will help you identify how your environment is trending, or if new assets are added and serviced by a ticketing or inventory system.
The Service Level Agreement determines when a patch is expected to be remediated. This value should be documented within your vulnerability management policy.
This metric is the baseline tracker for remediation – i.e., Zero-day attacks may require immediate remediation, a Critical Severity finding may have a duration of 7 days.
SLA values may also be dependent on the priority of the asset as well, per your organization’s needs.
The following metrics provide useful data on detection times, severity detail, and quantity of vulnerabilities.
They are considered less important due to their lack of direct impact on risk reduction.
Mean Time to Detect is the average amount of time between the beginning of a vulnerability and the discovery of the vulnerability by your IT or security team.
Although this is a useful metric, the most important takeaway from this vulnerability is the action to be performed after it’s detected.
In addition, when deploying a continuous vulnerability solution, your mean time to detect should be days or hours – not weeks or months.
Common Vulnerability Scoring System (CVSS) provides a numerical representation of the severity of a vulnerability to help incident responders prioritize remediation efforts.
Although CVSS scoring does not directly indicate risk, it can provide valuable insight into software or systems that may be at risk.
Tracking open vulnerabilities is a useful metric that illustrates your current technical debt across all of your systems. The numerical value of open vulnerabilities is not a risk rating.
The value of the metric is realized when combined with other metrics to prioritize a vulnerability remediation process for critical systems.
So far, we’ve defined why metrics are important for reporting and identified top metrics that should be included in your reports.
In this section, the goal is to ensure you are capturing data from all sources within your network.
Once this data is consumed into your reports, you will be in a position to tell the story with your results.
It is important to understand the type and whereabouts of all assets connected to your network. Assets not accounted for may result in unpatched systems and inaccurate reporting of your risk posture in network vulnerability reports.
Include reporting from your blue and red team tools to provide comprehensive insights into your vulnerability management lifecycle.
The outcome will result in better prioritization of remediation plans of your most critical systems through validation.
This inclusive reporting approach will enable your teams to identify targets for further testing.
Multiple reporting dashboards for each tool can make demonstrating results difficult to manage.
Centralizing your reporting into a single pane makes it easier for your organization to observe the positive impact your vulnerability program, which leads to more success.
Present the most important KPIs first based on your organization’s needs.
Your stakeholders need to know what the risk impact is to the business. Present the metrics that focus on the priority of critical systems and risk that have been accepted.
Present metrics that match the SLA’s documented in your vulnerability management policy. This will demonstrate the timeliness of patching systems to reduce your overall risk profile.
Let’s now take a look at how PurpleSec can help improve your reporting capabilities with automation.
PurpleSec’s Vulnerability Management platform can help your organization improve your reporting capabilities. Note the following features of this platform and how it can complement your existing framework.
PurpleSec can help you deliver and customize reports that measure the state of your vulnerability program.
Let’s examine the key components of the reporting engine that will supercharge and enhance the value of your vulnerability management program.
You can create an executive dashboard for managers or a general view for infrastructure teams or business units for up-to-date statistics.
Dashboards generally provide an export feature which allows the generation of instant reports.
PurpleSec’s security experts will partner with your teams to understand your objectives and setup everything you need to make informed decisions about your security posture based off reported metrics.
Our teams are made up of certified information security professionals who can consult, manage, and approve security processes by automating vulnerability management reporting.
In this article, we have reviewed the value of reporting key vulnerability and patch management metrics.
As your organization manages its vulnerability management program, it is critical to provide the right metrics that demonstrate risk to your high-priority systems along with the tracking of risks that have been accepted.
By following the recommendations of measuring risk through metrics reporting, your IT teams and stakeholders will be able to clearly observe the outcomes and successes of the vulnerability management program.
Your organization will also improve its security posture by having a continuous vulnerability management program to reduce risk.
If you would like to learn more about PurpleSec’s Vulnerability Management platform, please schedule a demo by clicking the link below and one of our security experts will be in touch.
Ready to speak with one of our experts? We want to help you with your next project. Schedule a demo.
Article by
You just completed a vulnerability assessment and you’ve remedied all or most of the identified vulnerabilities.
A network penetration test is often the next step to validate the risk assessment to enhance a business’s security posture.
There are four main steps to performing a network penetration test which include:
By the end of this article, you will understand what a network penetration test is and the benefits associated with it.
In addition, you will learn how to successfully perform a network penetration test and explain it to future clients or key stakeholders.
What should a penetration test report include? Download our sample report to learn.
A network penetration test is the process of identifying security vulnerabilities in applications and systems by intentionally using various malicious techniques to evaluate the network’s security, or lack of, responses.
Similar to vulnerability assessments, a network penetration test, also known as a pen test, aims to identify vulnerabilities in a network.
However, unlike a vulnerability assessment, a penetration test is an exact simulation of a potential attack to identify vulnerabilities that are harder to find in a network.
There are numerous benefits to performing network penetration tests on your systems including:
Acting as an in-depth test of the network, the network penetration test will allow businesses to better understand their network baseline, to test their network and system security controls, prevent attacks and breaches, and ensure network security in the future.
A network penetration test is typically performed when a business has a mature security posture, or they believe they have strong security measures in place.
Most of the time, the network’s baseline is identified through the use of scanning tools like port scanners, network scanners, and vulnerability scanners.
Understanding a network’s baseline allows the business owner to understand what security controls are working, identify existing vulnerabilities, and provide them additional information about their network.
Unlike a vulnerability assessment, a network penetration test will put your security controls to the ultimate test. A network penetration test’s goal is to breach your network and exploit those vulnerabilities to understand the areas that need improvement.
When a successful penetration test is performed, the results assist a business owner in designing or adjusting their risk analysis and mitigation strategies.
This helps the business prevent future data breaches because the network penetration test simulates a real-world attacker attempting to break into your systems.
A network penetration test helps to ensure system security in a variety of ways.
For example, a business may have a mature security strategy with strong external defenses but its internal defenses, such as a host-based Intrusion Prevention System (IDS) that prevents attacks from trusted hosts on the network, have been neglected.
Now, we have an idea about what a network penetration test is and the benefits that it has for businesses – let’s go through the process of performing a successful network penetration test.
Skip the policy-writing hassle with our ready-to-use penetration testing policy template.
Network penetration testing and vulnerability assessments are often used interchangeably.
However, there are some notable differences, most security practitioners view network penetration testing as a step that follows your vulnerability assessment.
Particularly, after the vulnerabilities identified in the vulnerability assessment have been remedied and the business owner would like to further test the security of their network.
To perform a successful penetration test, 4 steps must be completed:
When you are discussing the goals of the network penetration test, there are a few important things to consider.
Penetration tests fall into three main categories:
A network penetration test that is performed from the position of an average hacker, with minimal internal knowledge of the system or the network, is known as black box testing.
This type of test is typically the quickest as it employs tools to identify and exploit vulnerabilities in the outward-facing network.
It is important to note that if the perimeter cannot be breached in this type of penetration test, any internal vulnerabilities will remain undiscovered.
A network penetration test that is performed from the position of a user, that has access to the system, potentially including elevated privileges, is known as gray box testing.
This type of test aims to provide a more focused assessment of the network’s security, with insights into the external and internal vulnerabilities.
A network penetration test that is performed from the position of an IT or IS user, that has access to the source code and architecture documentation, is known as white box testing.
This type of penetration test typically takes the longest, with the most challenging aspects being the large amounts of data that must be scrutinized to identify vulnerabilities.
It is important to know the types of network penetration tests that can be performed, whether you are a penetration tester or a business owner because they all provide specific benefits to the businesses.
On top of deciding on the type of penetration test for your network, you must also discuss and set a date and time for the penetration test to occur, whether the test will be performed on a production or staging/testing environment, and if the client wishes for vulnerabilities to be exploited or simply identified and reported on.
It may seem inconsequential, however, if there are security measures currently in place on a network, it could shut down mission-critical systems on a network.
Finally, a network penetration test could be performed in a “live” setting, which would be during normal business operation hours, or performed after normal operating hours, which may occur during the night or over the weekend, depending on the business’s schedule.
At this stage, you should have documentation that records the information that will be used during the penetration test.
Defy your attackers with Defiance XDR™, a fully managed security solution delivered in one affordable subscription plan.
Now, it is time for you to put your penetration tester hat on.
After you have discussed the goal of the network penetration test, including the information that will be used during the test and the time and date in which it will occur, the reconnaissance and discovery step begins.
During your reconnaissance, you will begin by employing port and network scanners on the network and systems to get a view of the network, the devices on the network, and existing vulnerabilities.
Your goal will be to see where the vulnerabilities are located in order to begin your exploitation of those vulnerabilities.
Social engineering, the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes, could be used as a tactic to identify vulnerabilities in the network that will allow you to gain access more easily.
Discovery is when you find the information that you were seeking during reconnaissance.
By aggregating the information found a path can be identified to breach the network.
Now, let’s put this step into action.
During a gray box penetration test on a client’s network, tools like a port scanner, a tool that identifies open ports on a system, and a vulnerability scanner, a tool that identifies vulnerabilities on a system, are used to begin to identify ways to gain access to the network.
During step 3, the pen tester will perform the network penetration test based on the vulnerabilities that you identified in step 2.
This step often uses tools that include exploit scripts or custom scripts you may code yourself.
In many cases, the pen tester will choose the vulnerability they deem the easiest or most critical to exploit and begin the process of exploiting it.
However, this approach is not foolproof, requiring multiple vulnerabilities to be tested to successfully gain access to the network.
This information is important when relaying the results to the client as it will be beneficial for them to know the strong and weak points in their network security.
Take a look at the example below on how a successful penetration test could be performed.
During reconnaissance and discovery, a pen tester runs a port scanner and vulnerability scanner tools on the network.
You saw that there was a client system that has an open port on Port 80, which is unusual for that system as it typically doesn’t need to connect to the internet, which is on Port 80.
You deduce that this system may not have the proper defenses for an attack that originates from Port 80.
You run an SQL Injection or Buffer Overflow attack to attempt to gain access to that system.
You then use the pivot method, using the compromised system to attack other systems on the network, and a Brute Force attack, as you believe that the internal security defenses are not prepared for an attack from a trusted host on the network.
During your reconnaissance and discovery, your scanning tools revealed that there no technical vulnerabilities existing in the systems.
However, you noticed that social engineering and the use of phishing attacks may be the best approach in this penetration test as you easily identified key employees and their contact information in the company through the social media search.
You then craft a phishing email that looks like a company email from Human Resources, asking them to download the file and fill out for HR purposes, and embed Key Logger or Rootkit malware in the attachment.
You then send it to the key employees in the Accounting Department that you identified on social media and wait for them to take the bait.
Once you are notified that an Accounting employee downloaded the malware, you are able to breach the network and gather sensitive financial information and possibly escalate account privileges to gain administrator-level access.
When you have successfully gained access to the sensitive data or critical systems that you were targeting, you have successfully breached the network.
If you are unable to gain unauthorized access to the target systems, your network penetration test is not necessarily unsuccessful.
Knowing the strengths and weaknesses of a network is just as important to the client, and if this were the case, you could recommend a more in-depth test, like a white box test, in the future.
It is important to remember that to perform a complete network penetration test for a client, you will need to provide them the results and recommendations from your test.
Following a penetration test, a report is written specific to the type of network penetration test performed for the client, that details the process, the vulnerabilities and evidence collected, and recommendations for remediation.
It is vital to a data owner to understand the risk to their business that the vulnerabilities pose, and it is the job of the pen tester to provide them with a risk analysis that assists them in making the appropriate decision.
Remediation may include implementing patches and updates.
However, it can also include the implementation of specific policies like Employee Use policies and IT security policies if internal vulnerabilities.
Remember, a successful network penetration test is not just one in which a successful breach occurs.
If the tester is unable to breach the network, then it validates that the existing security posture of the organization is sufficient in deterring, detecting, or preventing attacks.
Network penetration testing is a crucial part to a business’s security plan.
In this article, you learned how to perform a successful penetration test and provide the results to your client.
Network penetration tests are important to enhance a business’s cyber security posture and it is your job to identify their vulnerabilities before the real attackers do.
Article by
Struggling to bring your patch management up to speed? Learn the key challenges along with…
You can automate your patch management by selecting the right patch management tool that best suits your organization’s needs and configuring its automatic patching settings.
Social engineering penetration testing focuses on people and processes and the vulnerabilities associated with them.
The main difference between a SIEM and IDS is that SIEM tools allow the user to take preventive action against cyber attacks whereas an IDS only detects and reports events.
A network security policy is a set of standardized practices and procedures that outlines rules network access, the…
Network security is a combination of technologies, devices, and processes designed to protect an organization’s network…
You can prevent spoofing network attacks by implementing spoofing detection software, enabling cryptographic network protocols such as Transport Layer Security (TLS), Secure Shell (SSH), and HTTP Secure (HTTPS), avoiding trusted relationships with unknown entities, and implementing packet filtering.
There are 6 best practices you can implement to reduce your attack surface including assuming zero trust, decreasing complexity…
Vulnerability scanning identifies vulnerabilities within systems on a network. Penetration testing simulates an attack to exploit vulnerabilities.
Learn what network security management is, why it is important to implement, and how to develop an effective network security…
The main difference between patch management and vulnerability management is that patch management is the operational process…
