As I meet speak with a growing number of MSPs, one thing is clear. Many are investing thousands of dollars in penetration tests that end up being merely vulnerability assessments.
That’s not to say vulnerability assessments are not a good tool. There’s a time and place for a good vulnerability assessment. But my main concern is that many of these companies are shelling out good money and not getting what they’re paying for.
First off, what is a vulnerability assessment?
Vulnerability assessments (also known as vulnerability scans) are useful in assessing computers and networks, for security vulnerabilities. These scans are typically automated and identify areas on the network that could be exploited. This doesn’t mean that the vulnerabilities found are actively being exploited today (or ever will).
These assessments will often present a laundry list of to do items—mainly geared at getting a client to fix something. The problem I see with only using this tactic is that the vulnerabilities don’t communicate a clear and present threat to a decisionmaker, especially if they aren’t technical or aren’t yet convinced that cyberattacks—the likes of some of the latest ransomware attacks—would ever hit or impact their organization.
What is the cost of a good vulnerability scan?
This really depends on the size of the organization and scope being addressed within the scan. For a small to medium business, I have seen these scans cost on the lower end several thousand dollars to tens of thousands of dollars on the higher side.
Why would your clients need a scan?
Several governing bodies may require scans as part of a company’s routine. PCI DSS, FFIEC, HIPAA, among other compliance-based disciplines, may routinely require an assessment as part of doing business.
My big beef with vulnerability scans?
While vulnerability scans will often show you as the MSP a big list of areas to work on, they are a purely passive approach to security and don’t reflect what attackers are actively looking for or exploiting.
As I mentioned above, they also do little to help your client understand their risks. These scans will not hunt down PII and other sensitive information. They also will not show decisionmakers exactly what hackers could get into or exploit if on your network. In essence, vulnerability scans lack a must needed context to help non-technical (and sometimes even technical) workers put their security.
There is no link clicked or simulated attack that will break down a lack of security controls or highlight important vulnerabilities in a way that someone would want to take action right now.
Now… What is a penetration test?
A penetration test simulates how a hacker might get into your systems. Through on-going updates and an understanding of what vulnerabilities are ripe for exploit, penetration tests show how data and systems are vulnerable to an actual attack, rather than simply riddled with a variety of vulnerabilities.
Often, a penetration test links an action. One of the easiest ways for a hacker to get onto a network, for instance, is through someone clicking a link. Finding out what would actually be at risk if this happens could open
I want to stress that penetration tests do expose real problems from the perspective of an attacker, but everything is done in a non-harmful way. A penetration test will probably bring back a lot of insight into how a team manages their data, passwords, and systems—focusing both on some of the lacking technical controls that would have prevented such an attack in addition to the behaviors leading to further exploitation of data or systems.
To help your clients wrap their heads around a penetration test, have them think of it as an MRI. It gives them and you more clarity into what needs to be done. You could think about the vulnerability assessment to more of a fuzzy X-Ray, where you have some ideas of where the problems are but might not know where the real causes lie.
What I’ve found—having grown an MSP to $8.5 Million and with a mission to help MSPs protect over a million people—is that showing people why they need to take security seriously is the most impactful way to get them on board with cyber stacks and following through making the right security-centric decisions for their organizations.
The cost of a typical penetration test may vary considerably, but in the marketplace right now, they tend to run between $15,000 and $70,000.
What if I could tell you, you could be doing these same penetration tests on your clients are prospects?
What if you could also pen test your own environment to make sure your controls are working?
That’s exactly what Galactic Partners are doing right now. They’re showing their clients, prospects and in-house teams where vulnerabilities lie and why they cannot simply be satisfied with the current status quo.
If you’re an MSP that is serious about security, wants to make sure you’re selling security that’s working to your clients and are proud of your brand and offerings, consider a cyber stack evaluation as a way to test out a fundamentally different approach to MSP security analyses.
