Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Vulnerability scans and penetration tests are often confused by organisations and it is far too common to hear the terms being used incorrectly. So, what is the difference between the two and in what instances should we be using each of them?
A vulnerability scan is an automated, high-level test that looks for and reports on potential vulnerabilities within an organisation. As threats to organisations evolve continually, vulnerability scans should be run regularly, in an ideal world, businesses of all sizes should be carrying out scans every week and at a very minimum monthly.
It is possible to run a vulnerability scan manually but for small and medium sized businesses running them regularly on a scheduled basis is preferred. It is important to remember the scanning is only useful if the report it generates is viewed thoroughly and the issues it highlights are dealt with.
A plethora of software solutions and services are available all with vastly different price tags and mixed suitability depending on the organisation size, type and in particular the IT resources available so it’s important to look at the options carefully and to take a practical view on the resources your organisation is able to dedicate to the process.
Penetration testing is a more thorough examination of an organisations defences and is therefore used much less frequently and only if an organisation is confident they are well protected and want the security defences to be tested to a high degree.
A penetration test is a hands-on examination by a qualified professional, trying to detect and exploit weaknesses in an organisations’ systems, both physical and logical. A penetration test needs to be carefully scoped and planned since part of the test will be to find and exploit weaknesses, a process that carries with it a certain amount of risk.
The planning of the test must include a time period during which it should be carried out; in/out of scope; objectives; testing limits; behaviour of the tester; incident and breach reporting and key stakeholders, to name but a few.
The qualified professional should not only try to penetrate the IT systems but also try to gain access to premises to find physical information (i.e. paper files) that might be visible. Techniques such as social engineering should also be deployed to help breach defences.
Because of the cost and nature of penetration testing, they have historically been seen as a tool only accessible to larger organisations, however with the introduction of GDPR and the increased awareness and increased importance placed on security, penetration testing has evolved and become accessible to almost all organisations.
For help in understanding the steps needed to secure your organisation and the data held within it, or for more information on how to set up scans and testing please get in touch.