It is imperative companies know what to look for when obtaining a penetration test to ensure it meets the company’s requirements and does not give a false sense of security. The world of penetration testing is often misunderstood and poorly explained.
This will be the first of a three-part series where I will explain:
- The difference between Vulnerability Assessments and Penetration Tests
- Penetration Testing & Post-Penetration Testing
- What is Social Engineering?
Vulnerability Assessments vs Penetration Tests
The first item that must be clarified, a Vulnerability Assessment is not a Penetration Test. Any IT employee can download free tools from the Internet to do a Vulnerability Assessment. It takes a dedicated Hacker to know how to breach a system, extract sensitive information of potentially take it offline.
- Process – Automated Tools.
- Output – List of unvalidated vulnerabilities.
- Outcome – Businesses IT Security Staff must validate individual vulnerabilities.
- Process – Manual Exploitation and Validation.
- Output – Confirmed risks, evidence, and impact rating to business.
- Outcome – Business has immediate understanding the infrastructure security posture.
The main disadvantage of a Vulnerability Assessment is it provides a false sense of security. Automated tools don’t detect every risk. If an IT Administrator is patching only the vulnerabilities detected by the tool, the business and its private information may still be defenceless against hackers.
The main advantage of a Penetration Test, it’s performed by professionals who are skilled in penetrating systems security and extracting information. Penetration Testers have an in-depth knowledge of technical platforms and how to mitigate the safeguards.
Conclusion: If you genuinely care about your company’s security, you will perform regular penetration testing. Why regularly? New vulnerabilities are discovered every month. What was once secure 6 months ago, now has x3 discovered bugs in its coding that hackers can exploit and take remote-control of that device. This is why updates are continuously being released to our iPhones, Androids, Windows and Mac systems. Many of these updates are patching security related vulnerabilities.
Stay tuned for my next blog where I explain the different types of penetration tests and what should be addressed immediately after a penetration test.