Take a look at key tools for your cybersecurity arsenal, including penetration testing, threat modeling and more.
Determining your organizational approach to cybersecurity — which tools you use, how you allocate personnel and financial resources to the task, where you harden your IT infrastructure the most — is not the easiest task when you're new to it. Truth be told, it's not necessarily easy when you've done it half a dozen times, either.
As such, you'll need to review your options. These run the gamut from fairly well-known quantities like penetration testing and vulnerability assessments to newer practices like threat modeling and bug bounties. Regardless of which route you take, it will still be well worth your while to understand the available paths to a more secure network.
Before we begin, it’s important to explore the relationship between vulnerability assessment and penetration testing. While they are best used in tandem, they are often mistaken for one another. Vulnerability assessment is the process by which an organization enumerates all of the potential areas of weakness on their systems. During penetration testing, they are confirming the potential risks, putting the hypothetical weaknesses to the test to confirm whether and how they could lead to a successful cyberattack.
Penetration testing: A valuable yet underutilized tool
The key point of penetration testing (sometimes shortened to "pen testing") is to actively identify dents in your network's armor.1 Specifically, you do so by looking for them — and, when found, attack them the way an attacker would.
Some penetration testing tools are software-based, using automated scanners to find problems wherever they may be: in specific applications, within the network's firewall, embedded within your operational technology and so on. In other cases, the test will actively simulate an attack. This can mean putting excessive pressure on the network and specific operations within it (like a very mild version of a dedicated-denial-of-service attack).
No matter how they're executed, penetration tests should always be conducted with precise goals in mind. For example, you could deploy a series of tests in conjunction with reporting from a vulnerability assessment tool like Nessus. If the assessment identified issues with network security and your organization took measures to rectify them, pen testing would help assess if the remediation was effective.
Each of the tools we'll be discussing here will be most effective if you have an underlying and ongoing vulnerability assessment program in place.
Cybersecurity audits: For the sake of standards
All organizations are beholden to regulations created by government departments and leading industry organizations - some more so than others. The effectiveness of cybersecurity measures is, at times, part of such criteria. Cybersecurity audits are, in fact, centered primarily around compliance. They do involve examination of the protections a given organization has in place for certain aspects of its IT infrastructure, and Nessus Professional is one such tool that can assist with compliance auditing. However, audits can often be myopic, and thus should not ever be the sole cybersecurity framework that a company uses.
Consider PCI DSS compliance for a perfect example of a cybersecurity audit's characteristics and shortcomings. Some of its requirements are extremely important, like encrypting and maintaining a firewall configuration for clients' credit card data, using (and regularly updating) antivirus software and consistently testing security systems.2 But there are organizations for whom PCI doesn't apply, and moreover, plenty of entry points for cyberattackers that don't involve financial data. The same goes for similarly sector-specific standards like HIPAA's cybersecurity requirements.
Audits centered around more comprehensive standards, like ISO 27001 or 27701, will be more efficacious. The 2019 update3 to 27701, in particular, involves particularly robust data protections, likely to keep up with the GDPR regulations that are often cited for their meticulousness. But the fact remains that if you orient your cybersecurity procedures around compliance and audits, your organization is setting a ceiling for how well-protected it can be. Audits must always be accompanied by ongoing vulnerability assessments and other cybersecurity best practices.
Threat modeling: Preemptive catastrophizing
Knowing how many vulnerabilities your network has and where they are is obviously critical. How else are you going to rectify these flaws? But in certain circumstances you may need to know much more.
Imagine that you knew a cyberattack on your organization was either imminent or highly likely. This wouldn't require clairvoyance on your part; perhaps you're part of an industry that's frequently targeted by malicious online actors. Or maybe a specific malware is bouncing around your city or region (the way WannaCry spread through multiple countries, and then crossed continents, in a matter of hours4).
Threat modeling can be extremely valuable in this situation. At its essence, this methodology entails envisioning the results of a specific cyberattack on your organization.5 Such projections should include monetary and data losses, time spent dealing with the attack's immediate and lasting consequences, estimates of how big a hit each department or business unit will take and other key performance indicators.
Using these bottom-line numbers about cyberattack impact can help impress the seriousness of the issue upon people in your organization who might not fully understand it otherwise. Threat modeling can also be applied as a preemptive tactic and built into the overall structure of your organizational cybersecurity strategy.
Bug bounties: Bringing in the mercenaries
Penetration testing is a more conventional form of ethical hacking — especially if you commission a third party to handle it. On the (somewhat) less typical end of the spectrum lie bug bounties.
Instead of hauling in cattle thieves in the Wild West, ethical hackers who pursue bug bounties seek cash rewards from organizations who want their security flaws uncovered and patched. Sometimes these assignments are low-key affairs between one business and a white-hat security consultant; others are part of programs maintained by tech giants like Apple, Facebook and Google — and the U.S. military.6
Commissioning bug bounties may not be the right play for all organizations, but if you can afford it — and you find a trusted white-hat — it can be useful for tracking down vulnerabilities in the network that your IT team can't spot.
A balanced approach
There's no single right answer when it comes to developing a cybersecurity strategy. It all depends on the needs of your organization, which will probably fluctuate over time. By balancing a comprehensive vulnerability assessment program with savvy deployments of all of the methods described above, you give yourself and your business the best chance at a truly secure network and IT infrastructure.
Nessus Professional is the industry-leading vulnerability assessment solution. Try it today with a free 7-day evaluation.
1. TechTarget, "Pen Test (Penetration Testing)," October 2018
2. PCI Security Standards Council, "Maintaining Payment Security,"
3. ISO, "Security Techniques: Extension to ISO/IEC 27001 and ISO/IEC 27002," August 2019
4. BBC News, "Cyber-Attack: Europol Says It Was Unprecedented in Scale," May 2017
5. Daniel Miessler, "Information Security Assessment Types," December 2019
6. Tripwire, "10 Essential Bug Bounty Programs of 2020," June 2020