Downloaded 179 times
Uploaded bySecurityMetrics
Penetration Testing vs. Vulnerability Scanning
The document discusses network security vulnerability scanning and penetration testing services, highlighting the company's extensive experience in supporting over one million merchants and emphasizing the critical nature of cybersecurity in preventing breaches. It details the processes, benefits, and limitations of vulnerability scans and penetration tests, noting the significant financial and reputational costs associated with security breaches. The conclusion stresses the importance of proactive security measures given the increasing frequency of data breaches.
More Related Content
Similar to Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
- 1. Network Security Vulnerability Scanning& Penetration Testing
- 2. About Us > Assisted>1 million merchants > Largest PCI support staff worldwide > Certified as ASV, PFI, QSA, PA QSA > Member of PCI Security Standard Council task forces and special interest groups > Performs on-site auditing, forensic investigations, penetration testing, vulnerability scanning, security consulting, PCI compliance > Offers network security devices, data discovery software
- 3. Testing Network Security •93 % of large organisations and 76% of small businesses experienced a security breach in 2011 (Information Security Breaches Survey, 2012) • Compromise costs • Financial penalties • Average organisational cost $5.5 million (Ponemon Institute, 2012) • Significant loss of reputation/brand trust • Various ways to test network security – Vulnerability scan (most thorough) – Penetration test – Anti-virus/malware software – Appliances (Intrusion Prevention Systems) – Spyware
- 4. Vulnerability Scan (VAscan) An automated, high-level test Process • Should be conducted by a company with accreditation • Identifies network weaknesses (i.e., PCI SSC Approved Scanning Vendor) and ranks how critical they are • Automatic network scans on a quarterly basis • Gives a beginning look at what • Report of weaknesses, false positives possibly could be exploited • Weaknesses patched on a prioritised basis • Good VA scan searches for over 50,000 vulnerabilities Benefits • Quick high-level look at possible vulnerabilities • Very affordable • Automatic • Takes a matter of minutes Limitations • Sometimes test falsely classifies object as a vulnerability (false positive) Internal • Manually check each vulnerability before testing again
- 5. Penetration Test An exhaustive, live examination Process • Live attempt to exploit • Run automatic vulnerability scan vulnerabilities • Follow up on reported vulnerabilities • Analyst takes on “hacker” role • Prove the vulnerability can be exploited • Try to fake passwords, manipulate • Internal and external testing code, fool web servers into giving •External- perspective of an hacker over Internet sensitive information •Internal- perspective of someone within network • Report findings and recommendations per target Benefits • More accurate, thorough than VA scan • Manual: Live analyst reviews the logic of the application and determines how to leverage access • Rules out false positives Limitations • Time (1 day to 3 weeks) • Cost
- 6. Comparison Vulnerability Scan Penetration Test • Automated • Manual (main difference) • Minutes • Days • Scheduled • Annually (after significant change) • Passive • Aggressive • Report false positives • Rules out false positives • Programmed • Intuitive • Identical scans • Accurate/thorough • N/A • Exploitation Both tests work together to encourage optimal network security
- 7. Conclusion • Computer intrusionwas responsible for 83% of the total reported exposed records in 2011 and 1/3 total breaches. – Data Breach Intelligence Report, 2012 “History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst…Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did.” -Bruce Schneier: cryptographer, security expert
Editor's Notes
- #2 Presentation Description: What is expected of vendor's network security? How do you ensure your company is meeting essential security requirements? With payments security expert Gary Glover, attendees will explore the benefits, limitations, processes, and business relevancy of vulnerability scanning and penetration testing.
- #4 How do you figure out if you’re safe?What is expected?If data is compromised, ignorance will not be an effective excuseEven if you might not deal with critical data yourself, essential to check all environmentsVA and Penetration testing are the most thorough
- #6 Cost- average pen test is $5-10k and a vulnerability scan is only a couple hundred bucks.Another benefit: If you have a ton of networks set up exactly the same, you can just sample a few instead of paying to test them all (VA scan is required to test them all)
- #7 Manual test- main difference between VA scanning and pen testing. Ruling out false positives- Automated scan is only as good as the code. Pen tester can manually prove false positives. Thoroughness- all automated tools struggle with automation. A real person can completely review the target scope. Exploitation- if an analyst finds it, they can determine the inherent risk with the issue at that time.Most automated scans can’t authenticate. They’re from an external perspective. Not usually given login credentials to authenticate to look in internal applications. Talk about how these two work together!!!!!! They need both!
- #8 -Network security testing required for Payment Card Industry Data Security Standard compliance-Database exploitation: Pen testers are able to obtain full credit card data, full customer contact info, trade secrets, social security numbers within a matter of daysIn 90% of cases, where SQL injection is present, SecurityMetrics penetration testers can get inside the database