The newly updated FTC Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA) requires dealers to perform vulnerability assessments every six months and penetration testing annually.  But what is a vulnerability assessment?  Why is it important? And how is a vulnerability assessment different from a penetration test?

Vulnerability Assessment

A vulnerability assessment is the process of defining, identifying, classifying, and prioritizing vulnerabilities in computer systems, applications, and network infrastructures.  Vulnerability assessments provide dealerships with insight into the security weaknesses of their IT environment that can be exploited by the cybercriminal.

The assessment typically involves the use of automated testing tools.  The information generated by these tools should then be analyzed by trained professionals who can then develop a prioritized remediation plan for addressing the vulnerabilities identified.

It is essential that vulnerability assessments be performed on a regular basis since IT environments are constantly changing and new cybersecurity threats are rapidly emerging.  Remember, establishing an effective cyber defense requires constant vigilance and continuous improvement.  It is a never-ending battle.

Penetration (Pen) Testing

A pen test evaluates the security of an organization’s IT environment by attempting to exploit vulnerabilities.  These vulnerabilities may be the result of an unpatched application flaw, or improper system configurations, or due to risky end-user behavior.

Pen testing requires a combination of automated and manual techniques to safely compromise servers, endpoints, web applications, wireless networks, network devices, mobile devices, and other points of exposure.  Once a vulnerability has been exploited, testers may then launch ensuing tactics to escalate their administrative privileges and gain greater access into the organization’s electronic assets and information.

As the cybersecurity threat facing dealers continues to rise, these new FTC rules should help to drive dealers to prioritize the implementation of cybersecurity best practices – like regular penetration testing and vulnerability assessments.  Using the information these tests provide to continuously improve your cybersecurity posture is essential to effectively protecting your dealership.