When people misunderstand the differences between penetration testing and vulnerability scans, they are often missing a vital component in their overall network security profile and both are crucial for cybercrime prevention.First, let’s look at the two processes individually.
A vulnerability assessment is a process for identifying the vulnerabilities and weaknesses in a business environment as well as where they are located. Using one or more automated “scanning” tools, your infrastructure can be scanned for technical vulnerabilities. Manual scans and testing can also be used to evaluate the security of your networks and applications or to verify the results of automated scans. Vulnerability scanners are unable to distinguish between flaws that can be exploited by attackers to cause damage and those that can’t.
Vulnerability scans and vulnerability assessments search systems for known vulnerabilities. A penetration test attempts to actively exploit weaknesses in an environment. While a vulnerability scan can be automated, a penetration test requires various levels of expertise.
Regular vulnerability scanning is necessary for maintaining information security. Secureworks® incident response (IR) analysts have observed some clients performing vulnerability scans weekly and others not performing these vital scans at all. Secureworks analysts recommend scanning every new piece of equipment before it is deployed and at least quarterly afterwards. Any changes to the equipment should immediately be followed by another vulnerability scan. The scan will detect issues such as missing patches and outdated protocols, certificates, and services.
Organizations should maintain baseline reports on key equipment and should investigate changes in open ports or added services. A vulnerability scanner (e.g., Nessus, GFI LANGuard, Rapid7, Retina, Qualys) can alert network defenders when unauthorized changes are made to the environment. Reconciling detected changes against change-control records can help determine if the change was authorized or if there is a problem such as a malware infection or a staff member violating change-control policies.
Some reasons to perform a vulnerability assessment include:
Matching up critical vulnerabilities with critical assets
Generating a list of the patches or other remediation that need to be applied
Identifying (through the assessment process) all of the false-positives and false-negatives that exist
Satisfying PCI, HIPAA and NERC-CIP regulatory requirements
With penetration testing an organization can simulate a real-world cyberattack on targeted assets, using the same tools and techniques that modern cybercriminals use. This is accomplished by understanding who your threats are, their capabilities, motivations, and targets. In addition to evaluating your network, a pen test can also include physical security and social engineering. A pen test simulates as closely as possible the effect that these threats have on your business. Penetration testing should not be done simply to prove you can be hacked or to prove that you are vulnerable. It also shouldn’t be done just because it sounds like a “cool” process.
Penetration testing is quite different, as it attempts to identify insecure business processes, lax security settings, or other weaknesses that a threat actor could exploit. Transmission of unencrypted passwords, password reuse, and forgotten databases storing valid user credentials are examples of issues that can be discovered by a penetration test. Penetration tests do not need to be conducted as often as vulnerability scans but should be repeated on a regular basis.
Penetration tests are best conducted by a third-party vendor rather than internal staff to provide an objective view of the network environment and avoid conflicts of interest. Various tools are used in a penetration test, but the effectiveness of this type of test relies on the tester. The tester should have a breadth and depth of experience in information technology, preferably in the organization’s area of business; an ability to think abstractly and attempt to anticipate threat actor behaviors; the focus to be thorough and comprehensive; and a willingness to show how and why an organization’s environment could be compromised.
A penetration test report should be short and to the point. It can have appendices listing specific details, but the main body of the report should focus on what data was compromised and how. To be useful for the customer, the report should describe the actual method of attack and exploit, the value of the exploited data, and recommendations for improving the organization’s security posture.
Here are a few reasons to perform a penetration test:
To test your cybersecurity controls after they have matured
To identify exploitable vulnerabilities in critical assets, including money, intellectual property, credit card applications, critical infrastructure and other crown jewels
To satisfy PCI, NERC and other compliance requirements
After significant changes to your business or infrastructure
It is recommended that a penetration test be conducted by a third-party rather than an internal team in order to avoid any conflicts of interests and provide an objective view of the environment.
Vulnerability assessments and penetration testing are both critical to maintaining a strong security posture.
Cymonix line of solutions can proactively address threats to your environment as your trusted long-term cybersecurity partner. Our proactive solutions can help your team identify issues before they become costly.