My clients often confuse scanning and penetration testing. Organisations should be conducting both external vulnerability scans and penetration tests. If you are storing or transmitting data on the Internet, particularly sensitive data such as credit card details, then quarterly scanning is required to validate your PCI compliance. You also need to conduct a penetration test at least once a year. These are the minimum requirements to remain compliant; it is prudent to scan and test more often.
In order to ensure that your organisation’s Internet presence is secure you really need to be conducting external vulnerability scans and penetration tests. If you are storing or transmitting data on the Internet, particularly sensitive data such as credit card details, then quarterly scanning is required to validate your PCI compliance. You also need to conduct a penetration test at least once a year. These are the minimum requirements to remain compliant, it is prudent to scan and test more often.
Unfortunately there seems to be some confusion about the difference between a vulnerability scan and a penetration test.
The purpose of a vulnerability scan is to identify potential vulnerabilities in your network. Someone with network experience will run a tool like Qualys, Nessus, Retina, or Internet Scanner. It will examine your firewalls, servers, applications, routers, and anything else that pertains to your network. The result is usually a large report that lists out all of the potential vulnerabilities that the scanning tool identified.
You’ll need to run a vulnerability scan at least once every quarter. If significant changes are made to your applications or network equipment that could introduce new vulnerabilities, then it’s important to scan immediately. It’s a good idea to have your staff run vulnerability scans continuously. While anyone with network experience can run a scanning tool, it takes some expertise to interpret the results correctly and divine the correct course of action to safeguard against potential threats.
Often using the information gathered by a vulnerability scan, a penetration test takes things to the next level. The purpose of a penetration test is to compromise devices on your network with vulnerabilities. It requires the use of sophisticated software like Metasploit, Canvas, or Core Impact.
Using exploits written by hackers and other penetration testers, the tester will attempt to breach your system architecture. The result is a report that details the method of attack, the exploit, and the value of the data exposed. It may also include false positives, where a breach didn’t result in data loss, and suggestions for how to address any problems found.
You’ll need to run a penetration test at least once a year. It requires a real expert to conduct a penetration test and use the tools correctly. If the tester is not properly qualified then there’s a real risk that they’ll leave something behind that compromises your system.
Penetration tests should always be run by outside agencies with a proven track record. You also need to engage a vendor that you trust and arm them with the information they need to understand your infrastructure. Don’t forget to put an NDA in place first.
It’s worth bearing in mind that there is a significant cost difference between vulnerability scanning and penetration testing. You can have internal staff running vulnerability scans and there is a level of automation available with some software tools. Remember to factor your staff time into the cost and consider having an outside expert cast an eye over the reports to ensure nothing important is missed.
The scope of your testing, the methodology employed, and the qualifications of your chosen vendor will dictate the cost of penetration testing, but it is obviously a lot more expensive than vulnerability scanning. Be wary of receiving extremely low quotes for a penetration testing service because inadequate testing is going to leave you exposed to risk.
You want a concise report from a penetration test and you should make sure the provider is available to assist with remediation. You need to be sure that the suggested fixes have been implemented correctly and that any dangerous vulnerability has been eliminated.
A sensible security strategy includes vulnerability scanning and penetration testing. It’s worth bearing in mind that the cost of a security breach will far outweigh the cost of penetration testing. Data loss in the real world can be difficult to detect and very expensive and time-consuming to fix. You also need to factor in the cost of any fines, potential damage to your reputation, and the loss of business that will result.
By Michelle Drolet, founder and CEO, Towerwall Special to Business Computing World
This article was recently published in Business Computing World.