With businesses today having to abide by one or more compliance standards such as NIST, PCI or HiPPA, the question about penetration testing and vulnerability scanning often arises. Many compliance standards require that you perform these tests at least annually, but very little additional information is provided about what that means.
To begin, there is a difference between vulnerability scanning and penetration testing. Vulnerability scans will help determine what possible vulnerabilities or potential breach points there are in your network. A penetration test would then attempt to exploit those vulnerabilities to gain access to valuable internal resources and systems. While both pieces of the puzzle are important, they are very different.
Once you are at the penetration testing portion of your security protocol, there are different levels of testing that can be performed. There are automated tools that can be run to try to exploit vulnerabilities found by a scan or otherwise identified by a security expert. These tools can run both static and dynamic exploit procedures in attempt to gain access through a breach point. Taking the testing a step further, manual penetration testing performed by a security professional can help find deeper breach points that might take some extra effort to exploit.
It is important to understand the liability you have if your network were to be breached so you can formulate a proper security plan for your organization. Recent statistics show that 43% of cyber attacks were levied against small businesses in 2016 and 60% of those businesses closed within 6 months of the attack. Protecting your organization by proactively finding and closing your potential breach points could be critical to your survival.
Michael Giuffrida from Southington CT has been advising businesses on cyber security since 1997. He is an experienced entrepreneur in business management, profitable growth, business valuation, mergers and acquisitions, and information technology managed security services.