Successfully reported this slideshow.
Your SlideShare is downloading. ×

Penetration Testing vs. Vulnerability Scanning

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 7 Ad

Penetration Testing vs. Vulnerability Scanning

Download to read offline

For more info on pen testing: securitymetrics.com/sm/pub/penetrationtesting
For more info on vulnerability scanning: securitymetrics.com/sm/pub/vulnerabilityscanning

Even the most experienced administrators may fail to implement the latest secure practices at your business. The easiest and most accurate ways to discover if your business is secure enough to withstand a hack is to test it through the eyes of a hacker. An ethical hacker is simply a computer bodyguard that manually examines a business environment for weaknesses via a penetration test, and determines which weaknesses he can exploit. Discover how penetration testers search for vulnerabilities by using the latest hacking techniques, and learn how to baton down your organizational hatches with penetration testing and vulnerability scanning.

For more info on pen testing: securitymetrics.com/sm/pub/penetrationtesting
For more info on vulnerability scanning: securitymetrics.com/sm/pub/vulnerabilityscanning

Even the most experienced administrators may fail to implement the latest secure practices at your business. The easiest and most accurate ways to discover if your business is secure enough to withstand a hack is to test it through the eyes of a hacker. An ethical hacker is simply a computer bodyguard that manually examines a business environment for weaknesses via a penetration test, and determines which weaknesses he can exploit. Discover how penetration testers search for vulnerabilities by using the latest hacking techniques, and learn how to baton down your organizational hatches with penetration testing and vulnerability scanning.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Viewers also liked (20)

Advertisement

Similar to Penetration Testing vs. Vulnerability Scanning (20)

More from SecurityMetrics (20)

Advertisement

Penetration Testing vs. Vulnerability Scanning

  1. 1. Network Security Vulnerability Scanning & Penetration Testing
  2. 2. About Us > Assisted >1 million merchants > Largest PCI support staff worldwide > Certified as ASV, PFI, QSA, PA QSA > Member of PCI Security Standard Council task forces and special interest groups > Performs on-site auditing, forensic investigations, penetration testing, vulnerability scanning, security consulting, PCI compliance > Offers network security devices, data discovery software
  3. 3. Testing Network Security • 93 % of large organisations and 76% of small businesses experienced a security breach in 2011 (Information Security Breaches Survey, 2012) • Compromise costs • Financial penalties • Average organisational cost $5.5 million (Ponemon Institute, 2012) • Significant loss of reputation/brand trust • Various ways to test network security – Vulnerability scan (most thorough) – Penetration test – Anti-virus/malware software – Appliances (Intrusion Prevention Systems) – Spyware
  4. 4. Vulnerability Scan (VA scan) An automated, high-level test Process • Should be conducted by a company with accreditation • Identifies network weaknesses (i.e., PCI SSC Approved Scanning Vendor) and ranks how critical they are • Automatic network scans on a quarterly basis • Gives a beginning look at what • Report of weaknesses, false positives possibly could be exploited • Weaknesses patched on a prioritised basis • Good VA scan searches for over 50,000 vulnerabilities Benefits • Quick high-level look at possible vulnerabilities • Very affordable • Automatic • Takes a matter of minutes Limitations • Sometimes test falsely classifies object as a vulnerability (false positive) Internal • Manually check each vulnerability before testing again
  5. 5. Penetration Test An exhaustive, live examination Process • Live attempt to exploit • Run automatic vulnerability scan vulnerabilities • Follow up on reported vulnerabilities • Analyst takes on “hacker” role • Prove the vulnerability can be exploited • Try to fake passwords, manipulate • Internal and external testing code, fool web servers into giving •External- perspective of an hacker over Internet sensitive information •Internal- perspective of someone within network • Report findings and recommendations per target Benefits • More accurate, thorough than VA scan • Manual: Live analyst reviews the logic of the application and determines how to leverage access • Rules out false positives Limitations • Time (1 day to 3 weeks) • Cost
  6. 6. Comparison Vulnerability Scan Penetration Test • Automated • Manual (main difference) • Minutes • Days • Scheduled • Annually (after significant change) • Passive • Aggressive • Report false positives • Rules out false positives • Programmed • Intuitive • Identical scans • Accurate/thorough • N/A • Exploitation Both tests work together to encourage optimal network security
  7. 7. Conclusion • Computer intrusion was responsible for 83% of the total reported exposed records in 2011 and 1/3 total breaches. – Data Breach Intelligence Report, 2012 “History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst…Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did.” -Bruce Schneier: cryptographer, security expert

Editor's Notes

  • Presentation Description: What is expected of vendor's network security? How do you ensure your company is meeting essential security requirements? With payments security expert Gary Glover, attendees will explore the benefits, limitations, processes, and business relevancy of vulnerability scanning and penetration testing. 
  • How do you figure out if you’re safe?What is expected?If data is compromised, ignorance will not be an effective excuseEven if you might not deal with critical data yourself, essential to check all environmentsVA and Penetration testing are the most thorough
  • Cost- average pen test is $5-10k and a vulnerability scan is only a couple hundred bucks.Another benefit: If you have a ton of networks set up exactly the same, you can just sample a few instead of paying to test them all (VA scan is required to test them all)
  • Manual test- main difference between VA scanning and pen testing. Ruling out false positives- Automated scan is only as good as the code. Pen tester can manually prove false positives. Thoroughness- all automated tools struggle with automation. A real person can completely review the target scope. Exploitation- if an analyst finds it, they can determine the inherent risk with the issue at that time.Most automated scans can’t authenticate. They’re from an external perspective. Not usually given login credentials to authenticate to look in internal applications. Talk about how these two work together!!!!!! They need both!
  • -Network security testing required for Payment Card Industry Data Security Standard compliance-Database exploitation: Pen testers are able to obtain full credit card data, full customer contact info, trade secrets, social security numbers within a matter of daysIn 90% of cases, where SQL injection is present, SecurityMetrics penetration testers can get inside the database

×