On 1st Nov 2021 the Central Bank of Bahrain issued a new module for the enhancement of the cyber security by CBB licensees. The new module was included within the Risk Management Module (Module RM) of the CBB Rulebook. One of the fresh requirements in this module mandates the licensee to bi-annually conduct vulnerability assessment and penetration testing (VAPT).
The module states “Licensees must conduct regular technical assessments to identify potential security vulnerabilities for systems, applications, and network devices. The vulnerability assessments must be comprehensive and cover internal technology, external technology, and connections with third parties. Preferably monthly assessments are conducted for internal technology and weekly or more frequent assessments for external public facing services and systems.”

The module also states
“All licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year.
These tests must be used to simulate real world cyber-attacks on the technology environment and must:
(a) Follow a risk-based approach based on an internationally recognized methodology, such as National Institute of Standards and Technology “NIST” and Open Web Application Security Project “OWASP”;
(b) Include both Grey Box and Black Box testing in its scope;
(c) Be conducted by qualified and experienced security professionals who are certified in providing penetration testing services;
(d) Be performed by internal and external independent third parties which should be changed at least every two years; and
(e) Be performed on either the production environment or on non-production exact replicas of the production environment.”

The new cyber security module applies to money changers, insurance companies and investment houses. The CBB had mandated that all these licensees complete a gap assessment with an action plan versus the cyber security module by 31st Dec 2021. The new cyber security requirements are to come into effect from 1st May 2022.

Let’s try to understand vulnerability assessment and penetration testing (VAPT)

Basically, Vulnerability Assessment and Penetration Testing (VAPT) are two different methods of vulnerability testing. Both the tests try to achieve a different goal. However, to achieve a comprehensive vulnerability analysis; they are often combined as one complete project. The tests have different strengths that delivers a holistic vulnerability analysis of the information security within an organization. While the objective remains same, they are two different tasks.

Vulnerability Assessment
Vulnerability assessment is an automated method using various tools to hunt down vulnerabilities. The process is to identify and quantify known security vulnerabilities in an application or network. A vulnerability scan is conducted by analyst while residing within the network. It can also be conducted remotely via a VPN connection. Search for more than 50,000 vulnerabilities can be conducted via a high-quality scan using some of the best-in-class tools. The vulnerability assessment helps in providing appropriate mitigation procedure thereby eliminating the weakness. Vulnerability assessment is a quick automated task that can be completed within a day or two. Vulnerability assessment is also known as vulnerability scan.

A network vulnerability assessment tests all the network equipment like routers, firewall, ethernet switches, WiFi, desktops, laptops etc. Some security standards like PCI DSS, HIPAA, FedRAMP, SOC 2 Type2, etc. requires business to conduct network vulnerability assessment to ensure that customer data is well protected.

Penetration Testing
Penetration testing is conducted to simulate a hacker’s attempt to gain access to the network or application. The attack can be from external or internal source. It is conducted by Ethical Hackers who are trained and certified to conduct to conduct penetration testing. Penetration testing can deliver information of how damaging a flaw in the network or application can be used by real hacker in a real live scenario. Penetration testing are used to find loopholes can cause damage or which can’t. The objective of penetration test is to exploit systems and gain access to critical or sensitive data.

As both vulnerability assessment and penetration testing are of prime importance, it should be conducted by reputable companies who have excellent track record. Vulnerability scans conducted by an Approved Scanning Vendor (ASV) delivers high-quality result. The experience and knowledge by the approved companies assist in identifying blind spots and beefing up the company information security defenses against threat actors.

9T9 Information Technology in partnership with an Approved Scanning Vendor (ASV), Qualified PIN Assessor, 3DS Assessor Company & SWIFT Customer Security Programme (CSP) company is prepared to delivery high quality and high value service to all exchange companies, insurance companies and investment houses in Bahrain. Reach out to us for a consultation session.