Frequently, new or existing clients will come to us requesting a penetration test. Usually, one of the first things we tell them is that they do not need a penetration test done…yet. Within IT, and within InfoSec specifically, there is a disconnect between terms used by industry professionals, their clients, and the media/public. Two of the most confusing terms are:
- Penetration Testing
- Vulnerability Scanning
Most clients will seek out security consulting services to have a ‘pen test’ performed, without knowing what a penetration test entails. Too often they picture a scene from Mr. Robot, or Hackers – someone in a darkened room, in front of a console, furiously typing away to hack into servers.
Most of our clients are organizations that have not worked with a security consulting firm before, but are used to working with managed service providers, so they expect to be sold hardware or software solutions. Because COMPASS is vendor agnostic, we evaluate what our clients’ needs are, and then offer a series of services that we think will help our clients achieve their goals.
As previously mentioned, we almost always have the conversation about Penetration Testing. Whenever we discuss this with our clients we try to help them understand the difference between a penetration test and a vulnerability scan. So, let us get into defining the two:
A Penetration Test has a specific goal, to exploit weaknesses and gain access to data within your network, to achieve administrator privileges or possibly alter financial data. A Penetration Test should not be performed as a start to your information security program. It should be something performed when you have a security configuration in place that needs to be tested for example; once you have established a patch management process, hardened network devices and essentially closed any known gaps within your network architecture.
A Penetration Test should only be performed once vulnerability assessments have been executed and all remediations implemented, since they can be expensive and should be employed when you want to test security that is already assumed to be in place and adequate.
A Vulnerability Scan or Assessment, whichever flavor you prefer, should be an organization’s first step in building a strong security stance. Vulnerability scans are technical assessments that that are designed to discover as many vulnerabilities as possible within a target network. Vulnerability scan reports include severity ratings for the discovered vulnerabilities, remediation/mitigate instructions and allows for prioritization of vulnerability remediation.
A Vulnerability Scan/Assessment should be performed at the start of your security journey. It will help you to generate a prioritized list of things wrong with the network, from OS patches and third-party vulnerabilities to open ports and services running on perimeter devices. The goal of a vulnerability scan should always be to fix as many findings as possible.