Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Penetration Testing vs. Vulnerability Scanning


Published on

For more info on pen testing:
For more info on vulnerability scanning:

Even the most experienced administrators may fail to implement the latest secure practices at your business. The easiest and most accurate ways to discover if your business is secure enough to withstand a hack is to test it through the eyes of a hacker. An ethical hacker is simply a computer bodyguard that manually examines a business environment for weaknesses via a penetration test, and determines which weaknesses he can exploit. Discover how penetration testers search for vulnerabilities by using the latest hacking techniques, and learn how to baton down your organizational hatches with penetration testing and vulnerability scanning.

Published in: Technology
  • Login to see the comments

Penetration Testing vs. Vulnerability Scanning

  1. 1. Network SecurityVulnerability Scanning & Penetration Testing
  2. 2. About Us> Assisted >1 million merchants> Largest PCI support staff worldwide> Certified as ASV, PFI, QSA, PA QSA> Member of PCI Security Standard Counciltask forces and special interest groups> Performs on-site auditing, forensicinvestigations, penetration testing,vulnerability scanning, security consulting,PCI compliance> Offers network security devices, datadiscovery software
  3. 3. Testing Network Security• 93 % of large organisations and 76% of small businesses experienced a security breach in 2011 (Information Security Breaches Survey, 2012)• Compromise costs • Financial penalties • Average organisational cost $5.5 million (Ponemon Institute, 2012) • Significant loss of reputation/brand trust• Various ways to test network security – Vulnerability scan (most thorough) – Penetration test – Anti-virus/malware software – Appliances (Intrusion Prevention Systems) – Spyware
  4. 4. Vulnerability Scan (VA scan)An automated, high-level test Process • Should be conducted by a company with accreditation• Identifies network weaknesses (i.e., PCI SSC Approved Scanning Vendor) and ranks how critical they are • Automatic network scans on a quarterly basis• Gives a beginning look at what • Report of weaknesses, false positives possibly could be exploited • Weaknesses patched on a prioritised basis • Good VA scan searches for over 50,000 vulnerabilities Benefits • Quick high-level look at possible vulnerabilities • Very affordable • Automatic • Takes a matter of minutes Limitations • Sometimes test falsely classifies object as a vulnerability (false positive) Internal • Manually check each vulnerability before testing again
  5. 5. Penetration Test An exhaustive, live examination Process• Live attempt to exploit • Run automatic vulnerability scan vulnerabilities • Follow up on reported vulnerabilities• Analyst takes on “hacker” role • Prove the vulnerability can be exploited• Try to fake passwords, manipulate • Internal and external testing code, fool web servers into giving •External- perspective of an hacker over Internet sensitive information •Internal- perspective of someone within network • Report findings and recommendations per target Benefits • More accurate, thorough than VA scan • Manual: Live analyst reviews the logic of the application and determines how to leverage access • Rules out false positives Limitations • Time (1 day to 3 weeks) • Cost
  6. 6. ComparisonVulnerability Scan Penetration Test• Automated • Manual (main difference)• Minutes • Days• Scheduled • Annually (after significant change)• Passive • Aggressive• Report false positives • Rules out false positives• Programmed • Intuitive• Identical scans • Accurate/thorough• N/A • ExploitationBoth tests work together to encourage optimal network security
  7. 7. Conclusion• Computer intrusion was responsible for 83% of the total reported exposed records in 2011 and 1/3 total breaches. – Data Breach Intelligence Report, 2012 “History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. Its always better to assume the worst…Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, youll be glad you did.” -Bruce Schneier: cryptographer, security expert