If you’re doing your quarterly vulnerability scans you may be wondering if that is the same as a penetration test or if you really need to do both. The scans you should be doing on a quarterly basis (or more often) are a good way to determine if you have weaknesses in your environment. A vulnerability scanner can also be used to perform network reconnaissance, which is typically carried out by a remote attacker attempting to gain information or access to your network. Network recon is used to exploit network standards and automated communication methods. The objective is to determine what types of systems are present, along with additional information about those systems—such as the type and version of the operating system. This information can be analyzed for known vulnerabilities that can be exploited to gain access to secure networks and computers.
Penetrations tests are used in an attempt to exploit the weaknesses found and to determine your company’s level of security awareness. There are many different types of penetration tests that can be performed, and they can be done from inside or outside your environment. The intent of a penetration test is to determine the feasibility of an attack and the amount of business impact of a successful exploit. While both of these items are useful individually, the combination of the two, along with proper remediation of any issues found can be a powerful tool in keeping your environment secure from unwanted threats.
As a note, for PCI compliance, The PCI DSS requires both of these items. Acceptable quarterly vulnerability scans by an ASV as well as annual penetration testing (and after changes to your environment) must be performed. For more information on vulnerability scans or penetration testing, give us a call here at HALOCK Security Labs and we can help determine which is best for you based on your needs.