There are several types of IT security audits: organizational audits, technical audits and penetration testing.
All these variants are complementary and enable to analyze optimally an organization’s level of security. In this article, we will voluntarily leave aside the organizational audits in order to focus on the technical aspects of security audits.
Technical Assessment (White Box Audit)
This approach consists in assessing an organization’s level of cybersecurity by analyzing the architecture, the technologies used, the protections implemented, the configuration details or the source code…
A technical assessment of an IT infrastructure will require the presence of the auditor in order to assess the network architecture, review the various peripheral devices and analyze their configuration.
A technical assessment of software or an application will require retrieving the source code in order to review it in detail.
Penetration Testing (Black Box or Grey Box Audit)
This approach consists in carrying out attacks on an information system in order to identify and exploit vulnerabilities. The security auditor performing a penetration test does not have all the technical information about the target of the audit. He/She will perform the test like an external attacker in some cases, or like a malicious user in other cases.
A penetration test on an IT infrastructure usually requires the presence of the auditor in the company’s office, but with restricted access to the company’s network. The auditor can conduct the test as a guest, in order to test the possibility of accessing the network (wired or wireless). He/She can also put himself/herself in the position of a trainee, with access to an email box and a minimum level of rights for an internal user.
A penetration test on software or an application is generally done remotely, by targeting public interfaces (web application, API…) or by targeting interfaces accessible to users (from a login/password account, or at least from access to the connection interface if it is a software available on an internal network).
Technical Assessment or Penetration Testing: Which Approach to Choose?
To perform a security audit, some companies have to make a choice between these two complementary approaches, if only for budget reasons.
The advantage of a white box security audit is that it is more exhaustive: the security auditor has access to a maximum of information, which allows to go further in the detection of weaknesses and vulnerabilities. The budget is generally higher compared to a penetration test.
The black box or grey box penetration test has the advantage of identifying very concrete risks: the security auditor behaves like an external attacker (in the case of a black box security audit) or like a malicious user (in the case of a grey box security audit). The identified vulnerabilities therefore represent real risks for the company. The budget varies depending on the scope and conditions of the penetration test, but it is generally lower compared to a white box security audit.
Why Should You Perform a Security Audit?
Several types of contexts are suitable to conducting a security audit.
A security audit is part of the best practices to protect the company in a context of increasing cyber-attacks.
It is necessary in order to obtain some certifications in the field of information security (ISO-27001, PCI-DSS, etc.).
It can be recommended following a quality audit, in order to strengthen the company’s processes and security. It is also highly recommended following a process of GDPR compliance.
It is required by some BtoB Clients or partners and specifically large accounts for whom they represent a prerequisite to be able to collaborate. This applies in particular to penetration testing, as large accounts may request that a pentest report be provided.
Finally, for a growing company, it represents a strategic investment to secure the business. And for a company that has suffered a cyber-attack, it represents the possibility of strengthening the level of security in order to prevent future cyber-attacks.
How to Go Further?
Conducting a worthy security audit requires the use of a third party to obtain an external feedback.
There are several service providers specialized in security audits. It is a profession in its own right, very different from other IT security professions. Experience and know-how are necessary to carry out a quality security audit.
To prepare the discussion with a service provider, you can draw up a specification describing the context of your need as well as the technical scope and the type of intervention desired. A precise specification will enable the service provider to quickly establish a detailed proposal.
However, if your need is not well defined, and if you need to discuss the different types of possible interventions before clarifying your request, a first discussion on your security issues as well as on the technical conditions of the interventions should allow the project to take shape. Regarding the security of servers exposed on the web, code analysis, internal network security, the risks of social engineering attacks, and the need to raise the awareness of the board, it is possible to mix several approaches while making compromises to respect budget constraints.
Vaadata, a CREST-approved company, is specialized in security audits. We assist SMEs and large companies from any industry. To discuss your needs, find out about our strong points or get a proposal for an intervention, feel free to contact us.