A VA scan, also known as a vulnerability scan, compliancy audit or a security assessment, is automated software that is designed to assess computer systems, networks and applications for weaknesses that make them vulnerable to cyber-attacks. The objective of using a VA scan is to identify vulnerabilities and weak configurations that an attacker may exploit.
Although VA scans are often marketed as the only security test your business needs, they are not designed to test the effectiveness of existing security controls against a skilled human attacker. Instead, they utilize predetermined scripts and databases to check systems for out-of-date software, weak/default configurations, weak/default credentials and if existing measures are working as intended. As a result, even a technically compliant organization could still be vulnerable.
While security audits like VA scans are an important part of maintaining your organization’s security, they are not enough because they:
- Only check for known vulnerabilities in known software
- Cannot properly evaluate custom/in-house applications
- Do not consider the nuances of your business
- Are not applicable in real-world situations – results are only useful in the same context the test was conducted
- Cannot adequately check for sensitive information leakage
- Still require further evaluation and manual investigation of findings
What is Your Cyber Security Strategy Missing?
Penetration testing can combine both manual and automated testing to reveal more vulnerabilities and potential points of attack than automated scanning alone. Unlike VA scans, penetration testing relies on the expertise of trained professionals to simulate attacks against computer systems to discover weaknesses – all in the name of cybersecurity.
Even well-resourced networks that utilize the latest attack prevention and detection technologies can be vulnerable to capable hackers, especially when armed with a lucrative motive. A penetration test is thorough by nature – allowing for multiple avenues of attack to be explored, not just the industry standard in a control environment. For most organizations, all weaknesses cannot be detected by a vulnerability scan alone, and most attackers don’t utilize a single exploit, but a combination of information and weaknesses from different points in various systems to compromise their targets.
The fundamental goal of penetration testing is to discover vulnerabilities in target systems or applications, map the attack surface area and try to put the pieces together in an attempt to obtain access to sensitive information or control over a target. As such, an outside company should perform penetration testing so that your organization can benefit from an independent assessment and a set of eyes not familiar with the security details – mimicking a real-world scenario.
There are many reasons why a business may want to conduct a penetration test. For some, penetration testing is an industry standard. Others may want to protect their organization’s reputation, valuable information, intellectual property, customer and employee information, as well as critical infrastructure and equipment that may have safety implications. In either case, businesses should be looking for consultants that think outside the box and who customize their approach to meet your specific business environment and goals.
Looking to assess your organization instead of a particular system component? Review our objective-based penetration testing solution for more details.