The Value of VAPT for State and Local Agencies

With attack surfaces rapidly expanding as government agencies add cloud capabilities and incorporate hybrid work solutions, the issue isn’t going away. Instead, attackers are ramping up their efforts as undetected vulnerabilities become the norm rather than the exception.

Vulnerability and penetration testing (VAPT) can help state and local governments gain increased visibility across networks and reduce the time required to respond. Here’s how.

What Is Vulnerability and Penetration Testing?

VAPT combines the disciplines of discovery, analysis and exploitation to help agencies reduce total risk. Vulnerability assessment comes first and is the process of exploring networks to find and analyze potential weak points. Penetration testing then leverages these weak points to simulate an attack and provide agencies with actionable data on effective mitigation strategies.

Jim Richberg, public sector field CISO and vice president of information security for Fortinet, puts it simply: “Vulnerability assessment and penetration testing is an evaluation method that enables organizations to review their systems for potential security weaknesses and can help improve the security measures of organizations’ networks and systems.”

EXPLORE: How Identity and access management can help address security gaps.

He notes that while VAPT programs may focus on specific elements of an IT environment, such as network connections, applications, servers or databases, “all of them focus on identifying, analyzing and remediating potential vulnerabilities.”

Once vulnerabilities have been identified and exploited, data gained from penetration testing exercises provides actionable insight that security teams can use to address specific issues and inform long-term cybersecurity investments.

How Can VAPT Benefit State Agencies?

VAPT programs offer several benefits for state and local agencies, including:

• Improved cyber hygiene. “A robust VAPT program can conduct regular cyber hygiene checks such as automated scans of web applications, networks and cybersecurity protocols to detect warning signs of vulnerabilities,” Richberg says.
• Early attack detection. VAPT efforts also make it possible to minimize the gap between attack inception and detection. “For example, network scanners can detect suspicious activity around packets and help identify potential vectors for intrusions early in the attack cycle,” he says.
• Protection against high-risk threats. Once VAPT programs have identified and analyzed the scope and scale of existing vulnerabilities, agencies can take specific action to guard against common high-risk threats. Consider ransomware: If assessments discover weaknesses in user identity and authentication management (IAM) solutions, agencies can proactively implement solutions such as multifactor authentication or zero-trust network architecture to reduce their total risk.
• Customized defense creation. Richberg also highlights the use of machine learning and artificial intelligence tools to rapidly build out customized, application-specific defenses that provide a layered approach to overall network protection.

What Does an Effective VAPT Program Look Like?

Consider the recent request for proposal (RFP) issued by McHenry County, Ill., to procure information security assessment and penetrating testing on the county's networks.

The RFP defines three broad objectives for the VATP program. These include determining if any unknown vulnerabilities exist on the county’s network, evaluating whether an attacker could penetrate the system being tested with information available to the general public, providing evidence that verifies the possibility of exploiting detected vulnerabilities and defining steps for their remediation.

LEARN ABOUT: How creating an incident response team can support cybersecurity efforts.

Richberg notes, however, that it’s important for agencies to understand that VAPT programs can’t provide a complete picture of an agency’s entire attack surface. Instead, he recommends that they calibrate their VAPT programs to generate the insights they need to drive effective, consistent responses to the cyber vulnerabilities most likely to be exploited in their organizations.

“An effective VAPT program should be treated as an early warning system informed by resources such as alerts and guidance issued through the Cybersecurity and Infrastructure Security Agency’s Shields Up program,” he says.

He also highlights the importance of effective VAPT programs given the critical shortage of available cybersecurity talent. While even the best vulnerability and internal penetration testing framework isn’t capable of replacing human cybersecurity insight, the approach can help agencies minimize the impact of this ongoing skills gap.

What Should Agencies Look for in Potential VAPT Providers?

While it’s possible to create VAPT frameworks and conduct operations in-house, many state and local organizations have enough on their plates with existing efforts to modernize legacy applications, digitize key records and streamline citizens’ access to government applications.

As a result, it’s often more time- and cost-effective for agencies to contract trusted third parties for this task. Not only does this approach come with the benefit of cybersecurity expertise and experience, it also offers the advantage of a fresh set of eyes. Despite best efforts, internal teams may miss potential weak points due to familiarity with the systems they’re trying to analyze.

But what should organizations look for in potential VAPT providers?

First is improved efficacy. “Agencies should look for providers that minimize the time cybersecurity must spend reviewing alerts and making sense of the data to allow them to focus on the complex operational choices that require their human expertise,” Richberg says.

He also points to the importance of machine learning, artificial intelligence and automation in the identification, exploitation and remediation process to help reduce “noise” from repeated security events that often contribute to vigilance fatigue. It makes sense: Given the sheer number of potential vulnerabilities found on state and local networks, it’s easy for teams to get overwhelmed.

REVIEW: What are state and local governments doing to support cybersecurity measures?

VAPT providers should also understand real-world attacker methodologies that are used to uncover and exploit weak points. Consider the evolution of on-demand attack vectors such as Ransomware as a Service.

Not only can prospective attackers purchase the ransomware packages of their choice, but they can also access “customer support” from ransomware designers to help improve their chances of a successful compromise. For VAPT to be effective, providers must be well-versed in common, emerging and cutting-edge attack vectors.

Agencies can also benefit from the use of cloud-based security testing delivered as a service, which “can simplify automated detection of critical vulnerabilities in websites and web applications, including those defined by the OWASP Top 10,” Richberg says

“While VAPT tools are not a panacea,” Richberg says, they can contribute to situational awareness for cybersecurity, and they can help IT leaders assess their operating posture and respond strategically to minimize risk.”