Many organizations today are being required by regulatory authorities, industry associations, insurance providers or audit firms to conduct annual technical vulnerability assessments or penetration tests. These assessments are a valuable tool in your security arsenal. It can provide you with an objective view of what gaps you may have in your organization from a process and technology stand point.
A comprehensive Technical Vulnerability Assessment (TVA) should look at your network(s) and devices from the inside-out and the outside-in. It will examine each device on your network to determine if it has been properly hardened and patched to resist attack. You should also assess if your various servers (Mail Servers, DNS Servers, Domain Registrations, Etc.) have been configured correctly to prevent misuse or hi-jacking.
The vendor should be very experienced and have a broad understanding of technical security. They should be a trust-worthy partner who has a proven track record of conducting TVA and able to provide references. They should also have a well-defined methodology that they can explain to you. You should understand upfront what they will be doing and when it will occur.
Other dimensions which should be tested as a part of your TVA are Web Applications and Social Engineering. Web applications are software programs that run inside a web interface (i.e. ecommerce platforms, webmail etc.). They should be tested against Software security best practices to ensure that the developers are adhering to security standards. Standards such as OWASP, SANS and NIST should be tested to identify any gaps which may exist. A good way to test social engineering is to conduct a Phishing campaign which targets your internal user email addresses and attempts to get them to respond by providing information.
At the conclusion of the assessment you should receive a summary report which will explain any gaps which have been identified and detailed scan reports which will indicate in-depth specifics about the findings from the assessment tools. The assessor should meet with you and your technical team to review the summary report and be available to explain the findings, the impact(s) and all recommendations.
You should consider conducting a full TVA annually and conduct scans and additional phishing tests whenever there has been a significant change or on a quarterly basis (whichever is more frequent).