Vulnerability Assessments vs Penetration Testing

Vulnerability scanning and penetration testing are important tools to secure and protect your IT infrastructure. Often, they get confused with each other but both play very different roles in overall network security.

So, what’s the difference and which should your business be using?

 

Vulnerability Assessments

Vulnerability assessments are automated reports that search for known vulnerabilities within software, such as missing patches and outdated configuration, protocols, certificates and services. The output of this report would show any known vulnerability that exist within the network. Reports can be lengthy as the assessments take quite a comprehensive look at the network and applications.

The assessments can be ran on any number of devices throughout a network and is wide in scope. The results can then be used to remove potential risks before they could be exploited.

It is recommended to perform scans quarterly and every new device once configured, or if a major configuration change has taken place.

 

Penetration Tests

In comparison, penetration testing actively exploits weaknesses within the environment. An experienced person would carry out the testing, acting as an attacker by exploiting weaknesses within the network or applications otherwise known as ‘ethical hacking’. As a tester is needed, this testing cannot be automated.

The main aim of penetration testing is to identify insecure and weak security settings and configuration that a business outsider would be able to use to access the data held behind the defences such as un-encrypted passwords. The tester would probe an open port and see how far it can be exploited. Large networks can take anywhere from days to weeks to complete a full test. It is therefore best practice to have the testing performed by a fully qualified 3rd party; this also ensures a fully unbiased, objective report being developed.

Penetration testing doesn’t need to be performed as regularly as vulnerability assessments, instead only once a year or if internet facing equipment has a large change made.

 

What Should My Business Use?

In summary, a vulnerability assessment is used to detect when an unlocked door could let a burglar enter your business. A penetration test would role play as the burglar and see how far he’s able to get before a locked door stops him in his tracks.

Both tools should be used in conjunction and work together to provide the best outcome. Vulnerability assessments are designed to act as a detective tool; penetration testing is built to be a preventative measure.

Penetration testing is a lot more costly compared to vulnerability by itself, but this is due to the in-depth nature of the scanning as the tester may discover a new vulnerability or a security flaw that is not very well known.

 

IT’s important to know the difference between each test as each are important in their own way. To find out if Netshield can be of assistance, please contact us here

Advertisements

Information Security isn’t just a Technology issue but, a Business one..

As the lines between work and play blurs due to the advances of technology, it becomes more apparent that ‘Information Security’ within the workplace is not just the IT department’s issue.

Information or data is a business enabler, it enables operations and productivity so, the security of it should be viewed as essential and promoted throughout the company – but, in most cases it is not.

Is this because we instinctively protect what we can see in front of us like buildings, personnel, hardware, the tangible assets but, we neglect the intangibles such as information because we struggle to see the physical value of it? Or is it the general attitude towards data security, the idea that we just need to do enough to meet regulations and compliance standards?

IT Security should be seen as a task to minimise risk for an organisation

This risk management is not just limited to the IT department or within the office because let’s face it, many of us do work a little when we get home even if its just checking our emails.

‘As many as 49% of individuals would use their personal device for work, found in a recent Norton Report’.

Employees use of unauthorised personal mobile devices can be a threat because it is an unknown object on the IT network. For example, if a user was to save business data onto an unauthorised device and then it was infected by malware, the data could end up in the wrong hands!

However, it is not about the IT department forbidding personal devices – if devices are approved then it is safe to have on the network. It’s all about having policies in place and training employees on how to access business data securely. The training should not be limited to the use of mobile devices but, general IT security practices i.e. always encrypt email containing sensitive data or never write login credentials on a piece of paper.

It is also important to ensure staff are aware of ‘Social Engineering’ because no matter how protected an IT Network is, there is always the possibility of external threats getting in, like CryptoWall which tricks users into opening infected attachments, exploit security gaps in Sliverlight, Flash and Java then, similar to CryptoLocker it will encrypt your files and demand a ransom.

Regular IT network assessments are recommended – not only will it help protect and minimise potential security risks, it can also be an opportunity to assess the efficiency levels of the network.

There will always be a possibility of a breach in security for every company, it could be due to a cyber attack, human error, social engineering etc but,if risk management is a common goal amongst every employee not just the IT department, it can help manage and minimise security risks in the long run.

To find out more about data protection or IT network security you can contact our consultants on 0845 603 5552 or drop us an email on info@netshield.co.uk