SlideShare a Scribd company logo

Penetration Testing vs. Vulnerability Scanning

Download as PPTX, PDF
SecurityMetrics
SecurityMetrics

For more info on pen testing: securitymetrics.com/sm/pub/penetrationtesting For more info on vulnerability scanning: securitymetrics.com/sm/pub/vulnerabilityscanning Even the most experienced administrators may fail to implement the latest secure practices at your business. The easiest and most accurate ways to discover if your business is secure enough to withstand a hack is to test it through the eyes of a hacker. An ethical hacker is simply a computer bodyguard that manually examines a business environment for weaknesses via a penetration test, and determines which weaknesses he can exploit. Discover how penetration testers search for vulnerabilities by using the latest hacking techniques, and learn how to baton down your organizational hatches with penetration testing and vulnerability scanning.

Technology
1 of 7
Network Security Vulnerability Scanning & Penetration Testing
About Us > Assisted >1 million merchants > Largest PCI support staff worldwide > Certified as ASV, PFI, QSA, PA QSA > Member of PCI Security Standard Council task forces and special interest groups > Performs on-site auditing, forensic investigations, penetration testing, vulnerability scanning, security consulting, PCI compliance > Offers network security devices, data discovery software
Testing Network Security • 93 % of large organisations and 76% of small businesses experienced a security breach in 2011 (Information Security Breaches Survey, 2012) • Compromise costs • Financial penalties • Average organisational cost $5.5 million (Ponemon Institute, 2012) • Significant loss of reputation/brand trust • Various ways to test network security – Vulnerability scan (most thorough) – Penetration test – Anti-virus/malware software – Appliances (Intrusion Prevention Systems) – Spyware
Vulnerability Scan (VA scan) An automated, high-level test Process • Should be conducted by a company with accreditation • Identifies network weaknesses (i.e., PCI SSC Approved Scanning Vendor) and ranks how critical they are • Automatic network scans on a quarterly basis • Gives a beginning look at what • Report of weaknesses, false positives possibly could be exploited • Weaknesses patched on a prioritised basis • Good VA scan searches for over 50,000 vulnerabilities Benefits • Quick high-level look at possible vulnerabilities • Very affordable • Automatic • Takes a matter of minutes Limitations • Sometimes test falsely classifies object as a vulnerability (false positive) Internal • Manually check each vulnerability before testing again
Penetration Test An exhaustive, live examination Process • Live attempt to exploit • Run automatic vulnerability scan vulnerabilities • Follow up on reported vulnerabilities • Analyst takes on “hacker” role • Prove the vulnerability can be exploited • Try to fake passwords, manipulate • Internal and external testing code, fool web servers into giving •External- perspective of an hacker over Internet sensitive information •Internal- perspective of someone within network • Report findings and recommendations per target Benefits • More accurate, thorough than VA scan • Manual: Live analyst reviews the logic of the application and determines how to leverage access • Rules out false positives Limitations • Time (1 day to 3 weeks) • Cost
Comparison Vulnerability Scan Penetration Test • Automated • Manual (main difference) • Minutes • Days • Scheduled • Annually (after significant change) • Passive • Aggressive • Report false positives • Rules out false positives • Programmed • Intuitive • Identical scans • Accurate/thorough • N/A • Exploitation Both tests work together to encourage optimal network security
Conclusion • Computer intrusion was responsible for 83% of the total reported exposed records in 2011 and 1/3 total breaches. – Data Breach Intelligence Report, 2012 “History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst…Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did.” -Bruce Schneier: cryptographer, security expert

Recommended

How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessSecurityMetrics
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Rishabh Upadhyay
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingWon Ju Jub
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?Bhavin Shah
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 

Recommended

How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessSecurityMetrics
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Rishabh Upadhyay
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingWon Ju Jub
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?Bhavin Shah
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
What is pentest
What is pentestWhat is pentest
What is pentestitissolutions
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless networkHadi Fadlallah
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTshiriskumar
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Network Intelligence India
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by primePrime Infoserv
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network VaptApurv Singh Gautam
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?amiable_indian
 

More Related Content

What's hot

WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentMarcelo Silva
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless networkHadi Fadlallah
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTshiriskumar
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by primePrime Infoserv
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingANURAG CHAKRABORTY
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 

What's hot (20)

WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Info Security - Vulnerability Assessment
Info Security - Vulnerability AssessmentInfo Security - Vulnerability Assessment
Info Security - Vulnerability Assessment
 
What is pentest
What is pentestWhat is pentest
What is pentest
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless network
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by prime
 
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 

Viewers also liked

Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?amiable_indian
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection SystemsSam Bowne
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassGeorgia Weidman
 
Automated Malware Analysis
Automated Malware AnalysisAutomated Malware Analysis
Automated Malware AnalysisPushkar Pashupat
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaHanaysha
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksNetSPI
 
Vulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inVulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inKeith G. Tidball
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
Crowd Control Riot Manual
Crowd Control Riot ManualCrowd Control Riot Manual
Crowd Control Riot Manualgum9wv
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingThe Hacker News
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 

Viewers also liked (20)

Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training brief
 
Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?Vulnerability Scanning or Penetration Testing?
Vulnerability Scanning or Penetration Testing?
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection Systems
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security Assessments
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
 
Automated Malware Analysis
Automated Malware AnalysisAutomated Malware Analysis
Automated Malware Analysis
 
Web application Testing
Web application TestingWeb application Testing
Web application Testing
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Vulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements inVulnerability Assessment and Rapid Warning System Enhancements in
Vulnerability Assessment and Rapid Warning System Enhancements in
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
 
Crowd Control Riot Manual
Crowd Control Riot ManualCrowd Control Riot Manual
Crowd Control Riot Manual
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
 
PCI Guidance On Penetration Testing
PCI Guidance On Penetration TestingPCI Guidance On Penetration Testing
PCI Guidance On Penetration Testing
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
 

Similar to Penetration Testing vs. Vulnerability Scanning

Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxImXaib
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinarkdinerman
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 
Penentration testing
Penentration testingPenentration testing
Penentration testingtahreemsaleem
 
What is penetration testing
What is penetration testingWhat is penetration testing
What is penetration testingsakshisoni076
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
TakeDownCon Rocket City: Research Advancements Towards Protecting Critical As...
TakeDownCon Rocket City: Research Advancements Towards Protecting Critical As...TakeDownCon Rocket City: Research Advancements Towards Protecting Critical As...
TakeDownCon Rocket City: Research Advancements Towards Protecting Critical As...EC-Council
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilitiesMohit Dholakiya
 

Similar to Penetration Testing vs. Vulnerability Scanning (20)

Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptxthreat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
penetration testing
penetration testingpenetration testing
penetration testing
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016
 
Penetration testing must die
Penetration testing must diePenetration testing must die
Penetration testing must die
 
Penentration testing
Penentration testingPenentration testing
Penentration testing
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
What is penetration testing
What is penetration testingWhat is penetration testing
What is penetration testing
 
Security audit
Security auditSecurity audit
Security audit
 
Security Audit
Security AuditSecurity Audit
Security Audit
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
TakeDownCon Rocket City: Research Advancements Towards Protecting Critical As...
TakeDownCon Rocket City: Research Advancements Towards Protecting Critical As...TakeDownCon Rocket City: Research Advancements Towards Protecting Critical As...
TakeDownCon Rocket City: Research Advancements Towards Protecting Critical As...
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilities
 

More from SecurityMetrics

Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach SecurityMetrics
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical DevicesSecurityMetrics
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditSecurityMetrics
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101SecurityMetrics
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecurityMetrics
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? SecurityMetrics
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisSecurityMetrics
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA AuditSecurityMetrics
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesSecurityMetrics
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? SecurityMetrics
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data BreachSecurityMetrics
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeSecurityMetrics
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptSecurityMetrics
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkSecurityMetrics
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationSecurityMetrics
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken MalwareSecurityMetrics
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsSecurityMetrics
 

More from SecurityMetrics (20)

Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
 
How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach How to Effectively Manage a Data Breach
How to Effectively Manage a Data Breach
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java Script
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
 

Recently uploaded

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Penetration Testing vs. Vulnerability Scanning

  • 2. About Us > Assisted >1 million merchants > Largest PCI support staff worldwide > Certified as ASV, PFI, QSA, PA QSA > Member of PCI Security Standard Council task forces and special interest groups > Performs on-site auditing, forensic investigations, penetration testing, vulnerability scanning, security consulting, PCI compliance > Offers network security devices, data discovery software
  • 3. Testing Network Security • 93 % of large organisations and 76% of small businesses experienced a security breach in 2011 (Information Security Breaches Survey, 2012) • Compromise costs • Financial penalties • Average organisational cost $5.5 million (Ponemon Institute, 2012) • Significant loss of reputation/brand trust • Various ways to test network security – Vulnerability scan (most thorough) – Penetration test – Anti-virus/malware software – Appliances (Intrusion Prevention Systems) – Spyware
  • 4. Vulnerability Scan (VA scan) An automated, high-level test Process • Should be conducted by a company with accreditation • Identifies network weaknesses (i.e., PCI SSC Approved Scanning Vendor) and ranks how critical they are • Automatic network scans on a quarterly basis • Gives a beginning look at what • Report of weaknesses, false positives possibly could be exploited • Weaknesses patched on a prioritised basis • Good VA scan searches for over 50,000 vulnerabilities Benefits • Quick high-level look at possible vulnerabilities • Very affordable • Automatic • Takes a matter of minutes Limitations • Sometimes test falsely classifies object as a vulnerability (false positive) Internal • Manually check each vulnerability before testing again
  • 5. Penetration Test An exhaustive, live examination Process • Live attempt to exploit • Run automatic vulnerability scan vulnerabilities • Follow up on reported vulnerabilities • Analyst takes on “hacker” role • Prove the vulnerability can be exploited • Try to fake passwords, manipulate • Internal and external testing code, fool web servers into giving •External- perspective of an hacker over Internet sensitive information •Internal- perspective of someone within network • Report findings and recommendations per target Benefits • More accurate, thorough than VA scan • Manual: Live analyst reviews the logic of the application and determines how to leverage access • Rules out false positives Limitations • Time (1 day to 3 weeks) • Cost
  • 6. Comparison Vulnerability Scan Penetration Test • Automated • Manual (main difference) • Minutes • Days • Scheduled • Annually (after significant change) • Passive • Aggressive • Report false positives • Rules out false positives • Programmed • Intuitive • Identical scans • Accurate/thorough • N/A • Exploitation Both tests work together to encourage optimal network security
  • 7. Conclusion • Computer intrusion was responsible for 83% of the total reported exposed records in 2011 and 1/3 total breaches. – Data Breach Intelligence Report, 2012 “History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst…Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did.” -Bruce Schneier: cryptographer, security expert

Editor's Notes

  1. Presentation Description: What is expected of vendor's network security? How do you ensure your company is meeting essential security requirements? With payments security expert Gary Glover, attendees will explore the benefits, limitations, processes, and business relevancy of vulnerability scanning and penetration testing. 
  2. How do you figure out if you’re safe?What is expected?If data is compromised, ignorance will not be an effective excuseEven if you might not deal with critical data yourself, essential to check all environmentsVA and Penetration testing are the most thorough
  3. Cost- average pen test is $5-10k and a vulnerability scan is only a couple hundred bucks.Another benefit: If you have a ton of networks set up exactly the same, you can just sample a few instead of paying to test them all (VA scan is required to test them all)
  4. Manual test- main difference between VA scanning and pen testing. Ruling out false positives- Automated scan is only as good as the code. Pen tester can manually prove false positives. Thoroughness- all automated tools struggle with automation. A real person can completely review the target scope. Exploitation- if an analyst finds it, they can determine the inherent risk with the issue at that time.Most automated scans can’t authenticate. They’re from an external perspective. Not usually given login credentials to authenticate to look in internal applications. Talk about how these two work together!!!!!! They need both!
  5. -Network security testing required for Payment Card Industry Data Security Standard compliance-Database exploitation: Pen testers are able to obtain full credit card data, full customer contact info, trade secrets, social security numbers within a matter of daysIn 90% of cases, where SQL injection is present, SecurityMetrics penetration testers can get inside the database