Not using vulnerability and penetration tests?
In 2020, hacking accounts for over half of all data breaches, and in the last 3 years, phishing websites have grown by over 130%. It is expected that by 2021 a business will fall victim to ransomware every 11 seconds. According to Norton (2018 article), by 2023 cybercriminals will steal 33 billion records, identity theft will impact 60 million Americans and the average time to identify a data breach is 196 days.
Vulnerability Testing vs Penetration Testing
These 2 topics are closely related but 2 completely different useful tools in the Managed Service Provider’s toolbox. This weblog is going to quickly explain the differences and why you would want either or both scheduled as a regular regiment of exercises with your MSP; test, evaluate, adjust and re-test!
What is vulnerability scanning?
A vulnerability scanner is an application or appliance that scans and records vulnerabilities by port, application and software version. A vulnerability scanner is usually on the WAN, but sometimes on the LAN. It is used to identify the operating system and the software installed, as well as other attributes such as open ports and user accounts.
Typically a report is generated and made available that would list all the currently known exploits and possibly provide some remediation steps to remove these risks. A report would summarize and include an inventory of all the systems (including servers, desktops, laptops, virtual machines, containers, firewalls, switches, and printers) connected to a network it is scanning.
So what is penetration testing then?
A penetration test is usually conducted by a group of experts, usually outside of your network, figuring out the best way to establish how vulnerable your network is from a hacker or malicious virus. This is sometimes referred to as third-party security testing or pen testing by ‘white hat’ technologists.
Pen Testing is usually designed to identify network security issues and other vulnerabilities, improve employee security awareness, identify poor security practices and policy compliance failure and usually assesses the IT team’s attack response effectiveness.
This can sometimes create outages (by design) and can be extremely useful in establishing changes to procedure and resource training. Usually management is in the know and the IT response team isn’t.
While both are useful and can be conducted by your own internal teams using a myriad of tools, it won’t be as useful as hiring an expert to do either test and provide recommendations. It isn’t typical that your in-house IT team would want to knowingly expose their own weaknesses that might be identified by a penetration test.
Many experts believe that an independent third party would examine your network with a fresh set of eyes and be more likely to spot potential issues. Most IT technical staff may actually leave you blinded to possible security vulnerabilities when conducting on-site security testing due to their own familiarity of the network being tested.
Why conduct regular testing?
Having the capability to run your own tests is still a good idea because it enables you to run a test whenever you buy new equipment, install new software or make other big changes to your network, alerting you to obvious vulnerabilities you’ve overlooked.
Being proactive, looking for exploits and potential vulnerabilities will continually improve your teams’ baseline skills and response procedures in the event of a real compromise. Remember to test, evaluate, adjust and re-test. A typical ransom request is to pay 1 bitcoin to have your files unlocked. Bitcoin just climbed over $32,000 USD this holiday season. This doesn’t include the cost of your downtime…
The ultimate goal would be to have an affordable, fully redundant, centrally managed and secure, disaster proof IT infrastructure where you no longer have to worry about any of it and can focus on being successful in your business.
Why not get in touch with us, aside from providing some of these automated testing platforms, we would be ecstatic to help another business elevate their success. This is what motivates us and would make our day!