sponsored

Security Insider Interview Series: Brian Sloat, Director of Professional Services, Security Consulting for Neustar

Conducting vulnerability assessments and penetration tests can reveal the extent of a company’s security flaws, but every company is different. Brian Sloat, Director of Professional Services, Security Consulting for Neustar, describes how to get the right test for your company.

brian sloat
Neustar

Conducting vulnerability assessments and penetration tests can reveal the extent of a company’s security flaws, but every company is different. Brian Sloat, Director of Professional Services, Security Consulting for Neustar, describes how to get the right test for your company.

Why should an organization use a vulnerability assessment or penetration test?

A vulnerability assessment is a prerequisite to a penetration test. It will run scans and reveal vulnerabilities in the apps, OS, firewall, or whatever. Then the pen test will see if it’s a real risk or false positive. Organizations should use a vulnerability assessment first because they don’t know what they don’t know. A trusted partner like Neustar has access to intel from other security companies and the most updated tools.

Is there an established process or should each assessment be customized?

There is an established process to conduct a vulnerability assessment, but so much is dependent on the customer — what are their change management practices, what’s their industry? We’ll conduct a test for healthcare much differently than for retail. It really depends on their exposure and each test is customized for each organization. But the process for report delivery and the tools we use are all pretty standard.

Any there any types of risks that are easier or more difficult to identify?

The broader the scope we take, the easier it is to identify vulnerabilities. There are situations like things on the network that network teams don’t even realize have exposure. They’re not aware of all the IP addresses hanging off their network. That’s typically the biggest challenge — asking the right questions and having the right tools.

Should an organization conduct its own vulnerability assessment or work with a partner? 

I am always encouraged by organizations that test themselves. There are some freeware and tools out there that are cost effective and can identify low-hanging fruit. If a company says we’ve identified this much, that’s great. We won’t have to do a vulnerability assessment on what they’ve already found. The cons are they don’t know what they don’t know. The tools spit out a ton of information. It takes an expert to interpret that data, identify the false positives, and assess the risk.

What skill sets and technologies are involved in conducting a vulnerability assessment?

We use some freeware, some things we license, and some home-grown scripts we developed. These are all intended to automate scans. Interpreting that data is where you really need a vulnerability or pen testing professional. Our engineers know networking, applications, application development, firewalls, OS, middleware — it’s a combo of all these things. The best skill set is to think like a hacker. My staff consists of certified ethical hackers. They have to be able to understand what would you (the hacker) do with it? How would you become malicious with what you know?

How have vulnerability assessments and penetration tests evolved, and how do you see them evolving in the near future?

The tools have become much better at scanning more efficiently and frequently. Companies used to run a scan once a year. Scans have gotten so much better in terms of speed and the data coming back that some companies now ask for daily scans. The scope of things has also grown. Now there’s the Internet of Things (IoT). We now have wireless devices, cell phones, and remote employees. These are more doorways and potential security risks. Another thing starting to evolve is sharing data amongst security companies. It’s not nearly where I would like it to be, but it’s starting to resonate throughout the industry. We’re at the beginning stages, but I expect that will be the way of the world.

Related: