Among the many parenting challenges of our time, few are more significant than getting one’s 10-year-old daughter successfully enrolled in the dance class of her choice.
How do I know this?
I know because we have one of those beings living under our roof and last week, when the one and only hip-hop class that worked for her busy schedule opened for registration, it was do or die for the Black family.
Capacity is always tight and with a town full of Dance Moms and Dads vying for spots (last year’s hip-hop class was full at three minutes past the hour), the stress level in our house begins to rise a full 24 hours before the virtual doors open.
I ran multiple dry runs the night before: seeing where to click to sign up, making sure the credit card was properly entered, verifying that all my daughter’s information was up to date.
I even did a test run with a different, unfilled class, so I could walk all the way through the process up until the final click, in order to familiarize myself with the interface. (Hey, you don’t get to be a cybersecurity guy without being a little obsessive.)
Then, sleepless night. Hands shaking. Sitting on the computer at 7:59 waiting, just waiting, for 8:00.
Success! “I just want to see the confirmation email,” said the Dance Mom in this household.
But I have to confess, as we were preparing the day before, I thought, “I bet the dance sign-up web site wasn’t ‘pen tested.’” I bet I could monkey with the cookies or the URL, or do some sort of injection attack, and get in there before 8:00.”
But then, remembering my disinclination to go to prison, I did none of that. And hey, it’s just a dance class.
But what happens when the consequences are a little (or a lot) more serious? When breaking into a web site involves stealing money? Or selling personal data? Or ransoming a company?
How do businesses with valuable assets know if they are adequately protected?
Vulnerability Scan or Pen Test?
When it comes to completing a comprehensive security assessment, both a vulnerability scan and a pen test (short for “penetration test”) are essential tools. However, while they both serve to identify weaknesses, they differ in scope, methodology, and depth of analysis.
More specifically…
A vulnerability scan is an automated process that scans systems, networks, and applications. It provides a broad overview of potential weaknesses.
A pen test is a manual, human-operated test performed by an “ethical hacker.” It’s an attempt to simulate a real-world attack by exploiting identified vulnerabilities.
Think of it this way…
If your business were a home, a vulnerability scan would examine and evaluate all the protections you have in place and look to see if they meet some predetermined standard: quality of locks, gaps between fence slats, on-site security personnel, etc. It would then generate a detailed report highlighting shortcomings and severity levels, and provide links to additional resources for making improvements.
A pen test would involve hiring an experienced burglar to come to your house and attempt to physically break in using a variety of tools and techniques of the trade. This person may ignore some vulnerabilities and exploit others; their goal is to see how much damage could theoretically be done and/or valuables recovered.
The “burglar” would then provide a comprehensive analysis of the home’s security posture, including details about successful attack paths, potential risks, and recommendations for improving overall security.
In general, vulnerability scans are looking for known weaknesses and misconfigurations. They don’t validate if these could be exploited – it’s an overall snapshot. A pen test is a deeper dive, looking to determine what could actually happen in the real world.
Which Do We Need?
Typically, since a vulnerability scan is very inexpensive and a pen test is not, it makes sense to do the vulnerability scan first to make sure you have addressed the most glaring weaknesses (there’s no point hiring a “fake burglar” if all the locks on your front door are broken). In fact, given its low cost, you may want to conduct a vulnerability scan on a frequent and regular basis.
When to have a pen test
As for when to invest in a pen test, it’s largely a function of circumstance. Here are five times when it may make sense:
#1. Regularly Scheduled Assessments
In most cases, it makes sense to conduct a pen test every year to ensure your company’s security measures are up to date. This proactive approach helps to ensure that any emerging vulnerabilities are taken care of before they are exploited by bad actors.
#2. Major Infrastructure or System Changes
If you make significant changes – a new network, web application, software systems, etc. – you’ll want to conduct a pen test. This way, you’ll know if any security gaps were introduced as a result of your modifications.
#3. Prior to Launching a New Product or Service
Notice that I said “prior,” not “after.” In the rush to roll out new offerings, many companies temporarily push security aside with the plan to address that soon. Unfortunately, the bad guys don’t give mulligans. Any time customer data or other sensitive information is involved, you’ll want to ensure that things are well secured before turning on something new.
#4. Compliance Requirements
If your company operates in an industry with specific regulatory standards or compliance requirements (healthcare, finance, government, etc.), you may be obligated to perform pen tests on a regular basis. Do what’s required so you can check the box, but beware of investing more than necessary in these.
#5. After a Security Incident
Any time your company has experienced an attack or breach, you should consider a pen test. While you probably resolved the vulnerability that allowed the attack, undoubtedly the attacker didn’t find the only issue. The pen tester can determine whether additional vulnerabilities still exist and need to be addressed.
Security Requires Constant Vigilance
Vulnerability scans and pen tests are two foundational tools for ensuring the security of any organization. They work hand in hand in reducing risk and managing threats to your business.
Deciding which tool to use and when will always be a function of your specific circumstances, environment, and industry demands.
And by the way, let me know if you need help scoring Taylor Swift tickets the next time she comes to town. I’ve gotten pretty good at getting in – legally! – as soon as those online ticket windows open!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
