Often, organisations rely on vulnerability scans to identify their weaknesses. They are told that vulnerability scanning is as good as penetration testing and that it will be enough to meet the compliance requirements of the PCI DSS (Payment Card Industry Data Security Standard).
What is vulnerability scanning?
Organisational vulnerabilities are unavoidable – not only because of frequent changes to applications and systems but also because firewalls are designed to leave certain ports open for email and other Internet-based services. However, organisations should always know where these vulnerabilities are, because it allows them to address weaknesses that can be fixed and prepare for attacks against those that can’t. That’s where vulnerability scanning helps.
As the name suggests, vulnerability scans root out an organisation’s weaknesses. Organisations can use a variety of tools, each of which essentially runs a series of if–then scenarios that are designed to identify system settings or actions that contain known vulnerabilities. A completed scan will provide a logged summary of alerts for the organisation to act on.
What is penetration testing?
Penetration tests are much more rigorous than vulnerability scans. They are designed to not only identify weaknesses in an organisation’s system architecture but also exploit them. This demonstrates to an organisation exactly how a cyber criminal would infiltrate its systems and what information they could access. Armed with this knowledge, organisations can pinpoint how effective their security controls are and which areas to improve.
The testing process can be invasive because, for all intents and purposes, your organisation is under attack. You’ll therefore need to conduct the test outside of working hours or let the relevant people know about the test in advance. You’ll also need to hire a qualified professional to oversee the process, as penetration testing involves a very nuanced set of skills and must be performed by someone who is bound to ethical standards. If someone in your organisation performed the test, they might influence the test to reflect their own bias. Worse yet, they might use the test as a dry-run for an insider attack.
There are four types of penetration test, each with its own focus:
- External network penetration test
- Web application penetration test
- Wireless penetration test
- Social engineering penetration test
Organisations don’t need to conduct penetration tests as often as vulnerability scans – once a year or whenever system architecture is significantly altered should suffice.
If you would like more information on penetration testing, get in touch with one of our experts.