Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
Penetration testing vs. Vulnerability Scanning (part 1) This lesson dives into the differences between penetration testing and vulnerability testing and when each should be used. We begin by defining and exploring penetration testing and what data its outcomes reveal. You can also learn the nitty-gritty aspects of penetration testing in our Cybrary online course, Penetration Testing and Ethical Hacking. [toggle_content title="Transcript"] In this video we're discussing in section 3.8. We have to explain the proper use of penetration testing versus vulnerability scanning. We start this section by discussing penetration testing. Organizations could buy the most expensive fire walls, the most expensive intrusion detection systems, they could hire or they could employ the most expensive administrators but does that really mean they're secure? Not really. You could rent the most expensive facilities but that does not really mean you are secure. How do we check for security? You employ penetration testers. These are teams of professionals certified in various areas of information security, physical access, logical access, cryptography, social engineering, and other forms of manipulations. You want this team to test your environment, test your network, see if you're really secure. What these teams will do is they'll come together with a collection of skills, knowledge, and experience and they will like to verify that there are threats within your network environment. They have to verify that it tried to exist. We as business managers might introduce technology but cannot tell that technologies also have threats that could exploit the vulnerabilities that are inherent in those technologies. Penetration testing team would help review all the technology in use and identify possible threats that exist for every technology they use. They could be accessed controls, they could be physical controls, they could be logical controls that you put in place. Logical control involves things like; fire walls, passwords, encryption and other technologies like that. It is the duty of the penetration testing team to identify these threats. Now you will see that it is good practice you employ a team that is very professional, knowledgeable, otherwise they can't identify the threat. Now not using a team that is skilled enough might give you a false sense of security, you think you're secure meanwhile you are not really secure. They also need to bypass your security controls. To bypass the security controls they must find the security controls. By finding the security controls then they try to bypass it, if they can bypass it that is proof of concept that your security controls are not robust enough because when the malicious people show up they are also going to bypass these controls so you need to identify the controls ahead of time so that you can ensure that these controls are robust and cannot be bypassed. The penetration testers would also actively test your security controls. It is not just sufficient to check that the security controls are in place. The controls could be in place but they could be weak. The controls could be in place but they are not enforcing the objectives so the malicious persons, the penetration testers would actively test the security controls. If you say you have a firewall in place they push traffic to the firewall to see what is led through the firewall or what is blocked, compare that to the firewall rules to determine if the firewalls are really doing what they're supposed to do. They would identify the numerous security controls within the facility it could be physical access, logical access then test these controls. This type of testing is very intrusive, you are actually touching the controls, interacting with the controls. They also need to exploit vulnerabilities so that they're able to exploit the vulnerabilities mean they can identify the vulnerabilities. What is a vulnerability? A Vulnerability is the weakness or absence of a control. The weakness or absence of a control will be exploited by the penetration testers to show proof of concept that they can exploit it malicious persons can also exploit it. Now having done all this testing the penetration testers would then give suggestions as to how to remediate the problems that they found, how to remediate the controls that are missing or that are weak, how to fix access to the facility or even how to correct user behavior. All of these will be accessed by the penetration testers and recommendations are given to management as to how to remediate these issues. [/toggle_content]