Cyber Vulnerability Assessments & Penetration Testing: Tools, Techniques and Best Practices

Date: Jun 21 2019

Andrew Silberstein, Director, Cybersecurity and Gregg Garrett, Head of U.S. & International Cybersecurity Advisory Services - BDO USA, LLP

Below is an excerpt of an article that originally appeared on


Cyber-attacks and their success rate in network breaches are increasing in frequency and sophistication. At the root of many successful cyber-attacks are the vulnerabilities that exist within network infrastructure, software applications and the very humans that use those networks and applications. The human element of cybersecurity deals with normal human interactions through email and social media (e.g., vulnerabilities such as email phishing, LinkedIn and Facebook hacking, etc.) and general cybersecurity awareness and good cyber hygiene (e.g., proper use of USB memory devices, remote connections and weak passwords). These vulnerabilities are best addressed through email phishing campaigns to identify gaps in organizational policies and lack of associated email-related security infrastructure, and overall security awareness training. This chapter focuses on vulnerabilities associated with network infrastructure and software applications and leaves the topic of human factors to be addressed separately. 

A well-established technique to minimizing and mitigating vulnerabilities within network infrastructure and software applications is the use of Vulnerability Assessments and Penetration Testing (VAPT). The use of VAPT is a proven and powerful technique to manage the security risk within an organization or family office. Further, performing a VAPT is very effective in determining your cybersecurity risk profile and general security posture. Understanding and establishing a proven VAPT process and methodology together with utilizing the right tools and techniques will ensure the VAPT accomplishes its goal of improving the overall security of the organization. Before diving into the details of how to best implement a VAPT, it is important to establish some baseline definitions and the reasons how and why adversaries pursue and exploit vulnerabilities. Let’s start with a simple definition of terms; what do we mean when we discuss a “vulnerability”.

Let’s start with a simple definition of terms; what do we mean when we discuss a “vulnerability”:

Refining this definition towards cybersecurity: 

Cyber adversaries look to exploit vulnerabilities everyday with new and innovative techniques. Adversaries come in many shapes and sizes and are looking to steal your sensitive and proprietary information, cause political or reputational damage, acquire financial gain, and simply steal whatever is available to sell to the highest bidder. Adversaries range from the most sophisticated foreign, state-sponsored adversary to organized crime to the ever-increasing number of hackers in the world.

Adversaries translate the definition of a vulnerability into two basic approaches:

  1. Attacking an organization from the outside of a network referred to as an external vulnerability
  2. Attacking an organization from the inside of the network, referred to as an internal vulnerability

Let’s have one more definition to help clarify how adversaries execute an attack:

Once the adversary chooses either an external or internal attack (or both), he then decides on specific attack vectors which typically takes on one of two forms: 

Exploiting vulnerabilities within the network infrastructure


Exploiting software programs and applications. Software programs and applications can be running as an external facing application such as a web site or a web-based application or mobile application or a software program/application for internal use running on an internal network server or desktop.

It should be noted that an adversary may use an external vulnerability to gain access to the internal network and then exploit the network from within the network.

With an understanding of how an adversary can attack a network or organization, and the types of attack vectors employed by these adversaries, we can now address the kind of vulnerabilities typically found during VAPT assessments. Network infrastructure (i.e., desktop computers, laptops, servers, firewalls, routers, and switches) and software application vulnerabilities generally fall into a few common categories: 

  1. Infrastructure configuration issues 
  2. Software and application version control or patching updates
  3. Vulnerabilities resulting from web application code and its development

These categories are not inclusive of all possible vulnerabilities, but rather common vulnerabilities most often found during a VAPT assessment. Only by performing your own VAPT, will you gain an understanding of your specific security exposure and a complete list of network vulnerabilities. In summary, performing regular VAPT assessments will help manage the risk associated with vulnerabilities within your network infrastructure and applications and improve your cybersecurity posture against network attacks and their exploits.


Hear more from experts at BDO on Internal Controls to Support Cybersecurity at the 2019 FOX Family Office Forum, taking place July 16-17 in Chicago.