One aspect of our cyber security solutions is a detection service offering, which allows CRIBB to help with pentesting and vulnerability scans. These are often mistaken as being the same and many organisations then opt for the wrong solution. Today we take a look at both to clear up any confusion.
AKA ‘penetration testing’
A penetration test sees a trained professional conducting a detailed, hands-on examination of your IT system. The objective is to uncover and exploit any weaknesses by deploying simulated hacking techniques. The tester, often described as an ethical hacker, attempts to compromise and then extract data from a network without causing any damage. Pentesting is typically very effective in discovering and fixing vulnerabilities in software applications and networks. The benefits are numerous, including:
- More accurate results via live, manual tests
- Retesting after fixes
The limitations of a penetration test, whilst scarce, can be prohibitive:
- The time taken can range from 1 day to 3 weeks or more
- The cost can range from $15,000 to $70,000 or more
A key consideration ahead of choosing penetration testing is the scope of your goals. If your aim is to assess your position against external threats, such as hackers, then pentesting is the best option. If, however, you want to conduct an internal assessment, we would recommend a vulnerability scan.
Typically an automated process used to identify vulnerabilities that could be discovered and then exploited. The more robust scans available are able to search for more than 50,000 vulnerabilities (as required per PCI DSS, FFIEC, and GLBA mandates). Some vulnerability scans take several minutes to to complete, whilst others take several hours. They are a passive solution because they only result in the generation of a report on vulnerabilities detected. This report must then be actioned by the organisation in the manner they see fit. To ensure that the scan is seeking out the most important vulnerabilities, you must appoint accredited entities to help.
Benefits at a glance
- Vulnerability scans provide a high-level view of possible weaknesses
- They are relatively quick to perform and affordable (typically ~$100 per IP, per year)
- Schedule scans to run weekly, monthly or quarterly
Limitations at a glance
- There are often false positives
- You must manually check each discovered vulnerability before re-testing
- Exploitable vulnerabilities require confirmation
As aforementioned, when carrying out internal checks it is vulnerability scanning that you should opt for. They represent an excellent low-level cyber security strategy for evaluating potential weaknesses.
Which is better?
The answer depends almost entirely upon your aims and objectives. Pentesting and vulnerability scans are not the same as the former offers a higher level evaluation plus fixes for external threats. We use vulnerability scanning to identify low-level, internal threats. You must then keep your overall objective in mind when deciding between the two. To summarise, a vulnerability scan is an automated test performed within the security perimeter. It seeks out potential vulnerabilities and then reports back on them. A penetration test is a detailed, hands-on evaluation conducted by a real person outside of the security perimeter. It tries to detect and exploit weaknesses in your system via a simulated cyber-attack against your computer system.
CRIBB Cyber Security powers theICEway ecosystem’s security by design approach to IT Solutions. We have spent years working with clients in cruise, travel and healthcare. We can advise you on data protection, certification and much more besides. For help or guidance on any of those, or indeed with pentesting / vulnerability scanning, contact us today.