WATCH What is Vulnerability Scanning and Penetration Testing – Day 29 of Cybersecurity Awareness Month
Mike Miller 00:06
Today we’re talking about vulnerability scanning, and penetration testing of company networks and computers. These tasks are important for just about any business to perform. They’re often confused with one another, but are very different security tests require a very specific skill set to be performed with us to explain what vulnerability scanning is, and how it differs from penetration testing is Craig Taylor, co founder and CEO of CyberHoot. So Craig, what do we need to know about vulnerability scanning and penetration testing?
Craig Taylor 00:39
It’s great question. It’s often confused. When I’m pulled in to talk to companies about well, we need this thing called vulnerability scanning and pen testing. It’s the same thing, right? It’s not, they’re very different. vulnerability scanning is using software. pre built by a community of security researchers to interrogate your company, your network, your computer’s programmatically through a tool, it’s an application you run and it goes out and touches all the computers and networks, it can be trusted or untrusted.
It can be a hacker on the internet run from a perspective of a hacker on the internet with no access to the network whatsoever, it’s going to look at all the windows and doors of your firewall or your company network to see what’s unlocked what’s open and what’s not. It can be run on the inside with credentials.
And without credentials to do the same thing. When you run a vulnerability scan with credentials, it logs into the computers and the servers and the network and it interrogates the operating system for what version of software is running, what patches are installed, what patches aren’t installed. And so it’s a very good way to get a template of your entire network, what exists, what responds to an IP address, and what risks are associated what vulnerabilities are inherent in those devices. That’s a vulnerability scan.
On the pen testing side, again, you can do penetration testing, being trusted, or untrusted. But it’s a human being doing the test. It’s a hacker or white hat hacker typically, who logs into your network and starts looking at the files that are on the file server where a pen vulnerability scan will just see oh, there’s files there, a pen tester will see a file called passwords. And he’ll open that up and I’ll say, Oh, look at this, I have all of the administrative passwords for the network.
Now I can log in anything I want. And I can get access to any data I want. So penetration testers are real people trying to use the information from a vulnerability scan, to escalate their privileges, to steal critical files and data, and to really do what hackers actually do within a network. So they’re very different things.
Mike Miller 02:50
Okay, so vulnerability scanning is more of an automated assessment by scanning software, checking that all the doors and windows or your business are locked.
Craig Taylor 02:59
Mike Miller 03:00
Right. But penetration testing determines whether your locked doors and windows could be picked open in some easy way. I guess. Is that right?
Craig Taylor 03:09
It’s a great analogy. I love that mic. And I wish I thought of that, because it’s exactly right. A pen tester can pick the locks if they’re not strong enough, if you haven’t patched the lock, so to speak, in thinking of locks as applications. Yeah, so that’s exactly right.
Mike Miller 03:26
Okay. So when should a company use either option in protecting their business?
Craig Taylor 03:32
That’s a fantastic question. And I get asked this all the time, I get pulled into consult with companies that want a pen test and an application or a vulnerability scan. And I asked them a few key questions. And I say, you know, are you training your employees? Are you governing them with policies? Are you doing some very basic things?
And they say, Well, no, but we were told we need a vulnerability scan and a pen test. That’s what our, assessor, the last company that assessed us said we needed to do. And thank you for bringing up that slide. Because this really gets to the heart of the matter. Imagine you’re in a car accident, you go to the doctor in the emergency room, and you’re bleeding profusely, does the doctor check your cholesterol or order up a colonoscopy or cancer screening, these are all important medical procedures that if you’re healthy, and well help you survive in the long run, which is what I considered vulnerability scanning and pen testing in a in a computer or in a typical business environment. You don’t always need those things right away if you’re not doing the things that are more basic to protect your company.
And so imagine this red line is your cybersecurity maturity. On the left, bottom left is a very low maturity company. And they need to increase their maturity by doing the things that are in that chart that you see there. So for example, on the administrative risks, which are green, they need to do a risk assessment.
They need to start awareness training governance policies on the technical side, you need to put two factor authentication on all your Internet facing ports, protocols and applications. Make sure any viruses running everywhere, filter all your email with a spam filter, do Asset Management get automated patching in place. Once you have those basics in place, you’ve stopped the bleeding for a company that could be easily compromised. And you move up the maturity scale, you can start doing more advanced things like adopting a password manager on the technical side or establishing a stronger risk management framework hiring a vCISO.
So eventually you get out to the point where you’re so mature, you should be doing vulnerability scanning and pen testing, but they’re much later in the maturity of a company. So it’s important, but it’s not necessarily the first thing you want to do.