I often see promotional emails offering penetration testing for a ridiculously low price. This should be a red flag to anyone that receives something like this. What they are actually selling is usually a vulnerability assessment and that is quite a different thing than a true penetration test!
It is not uncommon for someone in my position to review a 300-page “penetration test” report that consists of nothing but a listing of vulnerabilities discovered by some vulnerability scanning tool. Here’s a clue: if your penetration test report is longer than 10 pages, you’ve probably got a vulnerability assesment.
A vulnerability scan or assessment looks for known vulnerabilities in your systems and reports potential exposures. A penetration test is designed to actually exploit weaknesses in the architecture of your systems. Where a vulnerability scan can be automated, a penetration test requires various levels of expertise within your scope of systems. In short, a single hourly-paid technician runs a vulnerability scan while a team or certified ethical hackers performs a penetration test.
This is not to sell vulnerability scans short. Vulnerability scanning is a necessary part of maintaining your information security and should be used more often than it is. For example, every new piece of equipment that is deployed should have a vulnerability scan run against it and another approximately monthly thereafter. Baseline reports on key equipment should be maintained, and changes in open ports or added services should be investigated. In this way, a vulnerability scanner is used as a detective tool to alert an information security program when unauthorized changes have been made to the environment.
Now, penetration testing is quite a bit different. It could be better described as “looking for ways to exploit the normal course of business.” For example, a company may use a software product that transmits a password for back-end processing. Or the CEO may transmit his password to his web-based mail, the same password he uses to logon. Alternatively, an obscure database may have a listing of unique users with passwords that never change and are good on the directory service. Perhaps the switches themselves can be compromised to send unencrypted data to a workstation, data that has personally identifiable information. Our penetration testers run into all of these exposures and more, the symptoms of which cannot be detected by a vulnerability scanner.
The tools used for a penetration test are varied and dynamic, but it is not the tool that performs the test; rather it is actually the tester. You want to select a partner who works with a team that has some breadth and depth of experience in IT and your business type. You will also need to resist the temptation to just use a single team or individual. You should contract with a number of skilled penetration assessment teams to make sure that some exploits are not being missed. And you certainly DON’T want to use your own internal IT staff!
Here is a table to help explain the difference between Vulnerability Scan & Penetration Test:
| Vulnerability Scan | Penetration Test | |
| How often to run | Continuously, especially after new equipment is loaded | Once a year |
| Reports | Comprehensive baseline of what vulnerabilities exist and changes from the last report | Short and to the point, identifies what data was actually compromised |
| Metrics | Lists known software vulnerabilities that may be exploited | Discovers unknown and exploitable exposures to normal business processes |
| Performed by | In house staff, increases expertise and knowledge of normal security profile. | Independent outside service with highly skilled certified ethical hackers |
| Required in regulations | FFIEC; GLBA; PCI DSS | FFIEC; GLBA; PCI DSS |
| Expense | Low to moderate: about $1200 / yr + staff time | High: about $5,000 per year depending on scope of work |
| Value | Detective control, used to detect when equipment is compromised. | Preventative control used to reduce exposures |
Ideally, you will want to run a penetration test once a year. Vulnerability scans should be run continuously. Vulnerability scans should be run by your own staff, so that they can build up a baseline of what is normal for your information security program. Penetration tests should be run by an outside consultancy so that the benefit of independence and “outside eyes” can be garnered. Together penetration testing and vulnerability scanning are powerful tools used to monitor and improve information security programs.
If you would like more information about a penetration test by a team of highly skilled certified ethical hackers, set up a free consultation today!
Recent Comments