Enumerating and correcting the issues that directly lead to a breach.
Penetration Tests vs. Vulnerability Assessments
The terms “vulnerability assessments” and “penetration tests” are often incorrectly used interchangeably. While it is true that a penetration test requires a much greater level of skill to perform, it is not inherently “better” than a vulnerability scan. In reality, the best test for an organization will depend all on the end goal.
Vulnerability assessments utilize automated jobs to systematically scan networked devices for known vulnerabilities, typically compiled from CVE (common vulnerability and exposures) along with default/open credentials. Simple scripts can also be loaded to perform brute force password guessing attempts. The goal is to assess critical security risks and vulnerabilities and report findings.
Penetration tests are performed by highly skilled information security experts who emulate real-world tactics to determine whether or not a security posture could withstand a prolonged attack by a dedicated and skilled perpetrator. The goal is to leverage this assessment to correct critical security risks and vulnerabilities.
Discover all of the vulnerabilities that could be exploited in an attack.
Find out what damage could be done by exploiting some of the existing vulnerabilities
Checking all exterior and interior doors to determine if they are locked and secured properly.
Entering through the first available open door and searching the interior.
BREADTH OVER DEPTH: All in-scope devices are considered and all known vulnerabilities will be categorized.
DEPTH OVER BREADTH: Few devices may be touched and many vulnerabilities that may exist may not make the final report, which will consist of greater detail on fewer vulnerabilities.
LOUD AND FAST: Scans make no attempt to hide what they are doing and are very noisy and obvious.
LOW AND SLOW: Stealthy and attempt to evade defense protocols.
Recommended Organization Maturity Level
LOW TO MODERATE: An organization that does not regularly scan or does not have the capability to perform scans on their own, or organizations which consistently have unmitigated critical or high vulnerabilities.
MATURE: Better suited for organizations that have undergone and passed routine vulnerability scans and are looking to take the next step.
Preventative controls which prevent unauthorized system access and control.
Detective and reactive controls which detect and respond to a malicious presence.
Types of Vulnerability Scans
Focuses on your organization’s technology perimeter. Scanning tools are used to enumerate and assess your vulnerabilities.
PCI ASV SCANNING
Focuses on your organization’s internal networks. Scanning tools are used to assess your internal systems and infrastructure devices.
Utilizes automated tools to evaluate web applications for vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configurations.