Recently, there were some major updates to one of the most important security standards in the world: the Payment Card Industry Data Security Standard (PCI DSS). This widely used set of policies and procedures optimizes the security of credit, debit, and cash card transactions, protecting owners against misuse of personal information. This year’s release, Version 4.0, requires vulnerability scans and penetration tests (also referred to as ‘pen tests’).
But, even if you don’t worry about PCI DSS compliance, there’s still a lesson to learn.
You should consider these procedures best practices for cybersecurity in general, no matter your industry.
Just as a sailor will yank on a rope to double-check a knot is tied correctly, vulnerability scans and penetration tests should be performed regularly to verify your IT and cybersecurity performs as intended.
Let’s look at some of the similarities and differences, and discover the right solution for you.
The Difference Between Vulnerability Scans and Penetration Tests
Both types of testing look for exposed vulnerabilities. But, they look from different points of view.
Penetration tests look at the security of your organization from a hacker’s view on the outside. Vulnerability scans take the opposite point of view, examining your systems from the inside.
Both tests can cover a wide spectrum, from simple scanning options to robust testing with lots of tools and techniques.
Although regulation requirements sometimes determine which tests you need, budget and time constraints also play a role.
What Penetration Tests Cover
Simple penetration tests typically scan your IP addresses for your organization, to check what is exposed to the public.
You might perform localized penetration tests, too, on specific resources. For instance, you can check individual servers, gateways, virtual machines, specific network segments, applications, and containers.
Typical findings will be open ports, old protocols in use (obsolete TLS, FTP, etc.), and server data exposed to the public. Findings will be ranked in severity based upon their likelihood to be exploited.
More advanced penetration tests may simulate sophisticated attackers, or may be conducted from the point of view of low-level authorization, in order to simulate compromised credentials.
Even more thorough penetration tests involve testing physical resources and personnel, through social engineering, social media examinations, dropping malware-laden USB drives in the parking lot, etc.
If you’re specifically looking for someone to help with your penetration testing needs, check out our services, right here.
What Vulnerability Scans Cover
Simple vulnerability scans check the basic network, servers, and security tools protecting the network for known vulnerabilities.
More extensive vulnerability scans test different permissions levels, individual servers, applications, websites, backups, and other resources in fine detail.
Typically, findings include software that needs updates, misconfigured security settings on firewalls, and user groups with too much permission.
More expansive testing may overlap with penetration testing methods to check physical processes and procedures. It may include, for example, examinations to check if patient data might be observable on nursing station monitors in violation of HIPAA.
Interpreting Penetration Test Results
Often, even simple penetration tests and vulnerability scans contain standardized technical jargon that might make sense to technical experts, but can be confusing to others.
The most effective reports should also include a simplified version, making it easy for others outside the industry to understand.
Use these reports to create a prioritized lists of items to fix immediately, fix in the future, or ignore. Once you correct issues, you’ll want to retest, in order to verify the solution.
When creating your prioritized list, also consider the ease of performing the task. For instance, don’t postpone a fix if you can accomplish it in five minutes – even if it seems like a low priority.
What Testing Misses
One thing to keep in mind is that neither vulnerability scans nor penetration tests consider asset or data value.
Always examine any findings in the context of your own risk tolerance, versus the value of the threatened assets.
Also, none of these tests consider what might be missing.
For example, while both tests might examine a firewall to check its configuration, neither will note missing security controls, such as intrusion detection or intrusion prevention systems (unless, of course, a successful penetration test exploits that very weakness).
Lastly, these tests only capture the state of your organization at a specific point in time. New vulnerabilities, employees, equipment, and software upgrades can cause new vulnerabilities.
As a result, testing should be done regularly, or after any significant changes.
Performing the Tests
Fortunately, neither of the aforementioned attacks appear to be widespread.
However, typically, it only takes a few weeks, or even days, for attackers to analyze the news and deploy new attacks.
Additionally, it’s also lucky that both attacks have rather simple mitigations, Still, many IT teams may not have the bandwidth or the expertise to make these changes immediately.
While our cybersecurity tools and advanced firewalls can detect many different types of attacks, neither of the vulnerabilities covered above can be easily captured by traditional or even zero-trust tools.
Cybersecurity monitoring can help to fill in the gaps, but the best defense in this case is to apply the mitigation quickly.
When urgency or expertise is required, outsourcing can provide a cost-effective solution to protect the organization. Blue Bastion, along with the added support of Ideal Integrations, provides no-obligation consultations and can explain how we can deploy our security experts and tools to quickly resolve existing vulnerabilities or to provide ongoing monitoring against new attacks.
Call our team at 412-349-6680 or fill out the form below and our team of cybersecurity experts will create and execute the ultimate security plan to protect your organization.