I was recently browsing a social media group, and I came across an ad for a very cheap Pen Test. It got me thinking that the general SMB world doesn’t understand what this is or why they might need it. With an increase in questionnaires for things like insurance, I thought I’d take a few minutes and jot some notes down around Pen Testing, Vulnerability Scanning, the differences, and why you might need each.
It is important in this day and age of advanced technology to be able to spot and identify areas that may be at risk for hacking or malware. There are certain ways to accomplish this task, two of which include a Pen Test (Penetration Test), also known as Ethical Hacking, and a Vulnerability Scan. Both techniques have the same goal; to identify the threats before they happen by simulating real-world attacks on applications and their supporting technology. Even though these reproductions essentially garner similar results, they are different in how they function.
A Vulnerability Test, Assessment, or Scan is the process of identifying, evaluating, and ranking any vulnerabilities within a given system, the objective being to locate them before hackers find them. It is more to show how large a weakness is. There are steps completed to obtain information; catalog resources in a system, assign values to these properties, identify threats to each resource, and eliminate the worst vulnerabilities to the most valuable resources. This is done through automation, as opposed to by a human being, and can be conducted internally or externally. It is not as in-depth as a Pen Test, but the gathered information can be used to be a stepping stone on the way to performing a Pen Test. Because this sort of test can be performed in a largely automated fashion, it is less expensive than a full Pen Test. Additionally, tools exist which can conduct regularly scheduled scans to show you new weaknesses as they are released.
A Pen Test, on the other hand, is an authorized hack of a system, performed by a skilled tester, an actual person, who has expertise in cyber attacks and security. This deep dive scan has 5 basic steps; Reconnaissance, Scanning, Gaining Access, Maintaining Access, and Clearing Tracks. While performing the functions, the tester will keep detailed notes in order to produce a report outlining their findings. The process, which often uses both external and internal access, involves identifying weaknesses in the system, including the potential for unauthorized or malicious parties to gain access to the system's features and data. The intent is to actively exploit any flaw which may leave the structure open to attack. It will show not only what the threats are, but also how involved and dangerous those threats could become. This test can also identify the strengths of that system to create a full and very detailed analysis for review by the requesting organization.
As a business, vulnerability management and identifying areas of weakness is important to ensure your systems remain safe. However, to most small businesses the cost of a full Pen Test can be prohibitively expensive, starting in the many thousands of dollars. There are tools out there that seem to offer cheaper, automated Pen Tests, but those tools are actually vulnerability scanners. Because of their costs, full Penetration Tests are only appropriate in cases where risk or complexity is high in most small business networks. Even in cases where a questionnaire asks if you perform Pen Tests, it often isn’t necessary to actually do so. Insurance questionnaires are shared amongst large groups, and it is not expected for small businesses to engage in the large expense of a full pen test.
If you are in need of Vulnerability Assessment or Penetration Testing, CNWR would love to help. Please use the below button to reach out. We’d love to talk.
