Geraint Williams, Senior Consultant at IT Governance, explains: “Vulnerability scanning examines the exposed assets (network, server, applications) for vulnerabilities – the down side of a vulnerability scan is that false positives are frequently reported. False positives may be a sign that an existing control is not fully effective, i.e. sanitizing of application input and output, especially on web applications.”
Penetration testing looks at vulnerabilities and will try and exploit them. The testing is often stopped when the objective is achieved, i.e. when an access to a network has been gained - this means there can be other exploitable vulnerabilities not tested.”
Organizations need to conduct regular testing of their systems for the following key reasons:
- To determine the weakness in the infrastructure (hardware), application (software) and people in order to develop controls
- To ensure controls have been implemented and are effective – this provides assurance to information security and senior management
- To test applications that are often the avenues of attack (Applications are built by people who can make mistakes despite best practices in software development)
- To discover new bugs in existing software (patches and updates can fix existing vulnerabilities, but they can also introduce new vulnerabilities).
The worst situation is to have an exploitable vulnerability within infrastructure, application or people that you are not aware of, as the attackers will be probing your assets even if you are not. Breaches, unless publicized by the attackers, can go undetected for months.”
Vulnerability scanning and penetration testing can also test an organizations ability to detect intrusions and breaches. Organizations need to scan the external available infrastructure and applications to protect against external threats. They also need to scan internally to protect against insider threat and compromised individuals. Internal testing needs to include the controls between different security zones (DMZ, Cardholder data environment, SCADA environment etc.) to ensure these are correctly configured.
Pen testing should be conducted regularly, to detect recently discovered, previously unknown vulnerabilities. The minimum frequency depends on the type of testing being conducted and the target of the test. Testing should be at least annually, and maybe monthly for internal vulnerability scanning of workstations, standards such as the PCI DSS recommend intervals for various scan types.
Pen testing should be undertaken after deployment of new infrastructure and applications as well as after major changes to infrastructure and applications (e.g. changes to firewall rules, updating of firmware, patches and upgrades to software).