What you need to know about Vulnerability Scans and Penetration Tests.
Clients are often unsure where to begin on their cybersecurity journey. A natural starting point is to identify how secure you are today and there are several ways to approach it. The terms Vulnerability Scan and Penetration (Pen) Test sometimes get used interchangeably when they are distinctly different. Here is an easy way to distinguish between the two using a home security analogy:
This type of engagement attempts to discover weaknesses. So, in our analogy, you’re looking for things like unlocked or flimsy doors, unlocked windows, and inadequate fencing. You’re trying to uncover things that can be exploited. There are two main ways to approach looking for vulnerabilities. The first is an automated scan. This is where a tool scans the network and produces a report. The second is to do that scan and have a human analyze it to clean it up to get rid of “noise” or false findings.
With a pen test, your goal is to see if the weaknesses can be exploited. This is done by force using specific techniques, tactics, and procedures (TTPs). These TTPs don’t necessarily have to be technical. One of those TTPs could be social engineering. To use our house analogy, this is akin to using a crowbar on a door to see if it’s strong enough – or to see if you’re strong enough or smart enough to bust it open! It could also be telling the homeowner you’re a repair person to gain entry. These tests can be automated or human-led also.
When determining how to evaluate your security posture, keep in mind that penetration tests may not be the best approach. If you think about it critically, a pen test attempts to prove a negative: “There isn’t anything exploitable”. However, what a pen test really indicates is that the person (or system) doing the penetration test can’t figure out how to break in. So why pay a lot of money to see how good the penetration tester is?
While we are not suggesting that penetration testing is totally useless, a good percentage of the time it is not worth the money unless you have a specific need such as compliance or other compelling reason. In many cases, understanding how strong your house is and fixing those things is money better spent. In other words, make sure you’re doing the right things before spending time and money on exploitation. Do you have secure coding practices? Are you patching regularly? Is there a disaster recovery plan? To end on the house analogy: If you know your home’s doors are faulty, why pay to have someone try to break in?
If you’re looking to boost your security posture, ARG can help. We can provide free and low-cost security reviews and best practices to ensure your organization is as secure as possible. Get started by emailing firstname.lastname@example.org.
You can also download our CyberSecurity Market Insight and Decisionmaking Guide absolutely free.