One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2001643 |
| Date de publication | 2020-10-29 05:01:00 (vue: 2020-10-29 06:12:45) |
| Titre | Vulnerability scanning vs. Penetration testing: comparing the two security offerings |
| Texte | This blog was written by a third party author. It’s no secret: the number of security vulnerabilities organizations must contend with is overwhelming. According to a 2019 Risk Based Security report, there were 22,316 newly-discovered vulnerabilities last year. One Patch Tuesday disclosed a record number of 327 vulnerabilities in a single day. Just keeping up is becoming a monumental task. But knowing where and how your organization may be vulnerable is critical to maintaining a healthy security posture. As vulnerabilities add up and the threat landscape widens, two crucial strategies for understanding where you are and where you need to be security-wise are vulnerability assessments and penetration tests. At the very core, almost all organizations should be doing both. If you’re not, you may be exposing yourself to great risks. It’s easy to understand why some may confuse the two strategies (they are complimentary, after all), but there are key differences between vulnerability assessments and penetration testing. The differences between vulnerability scanning and penetration testing Vulnerability scanning is typically conducted with software leveraging automated processes and looks for known vulnerabilities in various systems. Once complete, a report on risk exposure is generated. Penetration testing (or pen tests), on the other hand, leverages manual processes and is typically carried out by a cybersecurity expert or experts that try to find holes and exploits within your system architecture. Penetration testing is sometimes referred to as ethical hacking, in that you are enlisting the help of a third party to “hack” into your systems to see if they are easily penetrable. Vulnerability testing determines the extent to which critical systems and sensitive information are vulnerable to compromise or attack due to outstanding patches and / or common security misconfigurations. Penetration testing takes this a step further to exploit the vulnerabilities identified in order to gain access to critical systems, sensitive information, or a specified trophy. While automated vulnerability scanning can help you identify security flaws that need remediation, it can’t holistically help you evaluate the strength of your organization’s security controls against complex strategies a human attacker might employ. For instance, chaining multiple vulnerabilities together to leverage them as a part of the overall kill chain. Here’s an analogy that underscores the difference between the two strategies. If your systems were a car and the threat landscape were rough roads and icy conditions, a vulnerability scan would represent the vehicle’s 10-point check — tires, suspension, engine, etc. A pen test would represent the equivalent of taking the car on a test drive down a rough road in bad weather to see how everything holds up. It's important to remember that a pen test isn't just capitalizing on vulnerabilities that a vulnerability scanner would discover. Pen tests dig deeper into those configurations and interactions between devices and systems (and where they are located) that can be exploited. There are many cases in which your environment “passes” a vulnerability scan without any identified issues but could still be insecure. You wouldn’t know this without a proper pen test. Why perform vulnerability scans or pen tests? New vulnerabilities are discovered and disclosed every day. While compliance mandates or basic security strategies may dictate that you need to patch at least monthly, vulnerability scans executed more frequently are recommended. This way, organizations can benefit significantly by gaining an accurate representation of their security profile. Depending on the co |
| Envoyé | Oui |
| Condensat | “moment 2019 316 327 able access according accurate add advantages afford after against all almost analogy any anyway appearing architecture are assessment assessments asset attack attacker augmented author automated aware bad based baseline basic bears become becoming being benefit best between bigger blog both bring businesses but cadence can can’t capabilities capable capitalizing car carried carry cases chain chained chaining check chooses comes common companies company comparing complete complex complexity compliance complimentary compromise conditions conducted configurations confuse consistently contend contextualize controls core could couple critical crucial current cybersecurity cycles data day deeper demonstrating depending determines devices dictate difference differences dig disclosed discover discovered doing done down drive due during easily easy effect employ engine enlisting enough environment environments equivalent establish etc ethical evaluate even every everything executed experienced expert experts exploit exploitation exploited exploits exposing exposure extent external fact far finally find first flawed flaws following frequently from full fully further gain gaining generated going good great hacking hand happen have having healthy help here’s hiring holds holes holistically how human icy idea identified identify identifying immediately important industries inexperienced information insecure insidious insights instance instead intelligence interactions internal introduce involved isn't issues it's it’s its just keeping key kill know knowing known lacks landscape last least leverage leverages leveraging library like likely limited linchpin located looking looks lots maintaining make mandates manual many maturity may methodologies might misconfigurations miss monthly monumental more most multiple must need new newly not number offerings often once one only order organization organization's organization’s organizations other out outstanding overall overwhelming own part particular party patch patches pen penetrable penetration perceptible perform performed performing plus point position possess possible posture potential power present presents prioritize processes profile proper provider put qualified quickly rated rather real realized recommended record referred regularly remediate remediation remember remember: repeating report represent representation require requirements results risk risks road roads robust rough satisfy scan scanner scanners scanning scans secret: security see sensitive serious severe should significant significantly single size software some something sometimes specific specified staff start stems step strategies strength strong sure surface suspension system systems table: takes taking task team test tester testers testing testing: tests than them there’s these things think third those threat threats time” tires together toolsets tries trophy true try tuesday two typically ultimately uncover underscores understand understanding until validated various vast vehicle’s very vulnerabilities vulnerability vulnerable way we’d weather what's when where which who why widens wild will wise within without work world would wouldn’t written year you're you’re your yourself zero |
| Tags | Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.