Skip to main content

Penetration Testing vs. Vulnerability Testing Your Business Network



Hearing "all of your confidential information is extremely vulnerable, we know this because..." is bad news, but whatever follows the ellipses determines just how bad. Consider two scenarios.
  1. "All of your confidential information is extremely vulnerable... we know this because a hacker took all of your customers’ credit card info and locked all of your files behind ransomware."
  2. "All of your confidential information is extremely vulnerable...we know this because we did a vulnerability scan of your network, and have some suggestions on how you can improve." 61% percent of small businesses are victimized by cyber attacks each year, and one in five victims do not survive. It is financially worthwhile to make sure that you end up being the person hearing the latter sentence.
Scenario 2 describes the statement after you have had a vulnerability test conducted. A vulnerability test is a comprehensive audit of security flaws that a hacker could exploit, and the possible consequences. This is the equivalent of a doctor giving a physical examination. This information will allow you to know what your risks are and plan your security policies accordingly.

Vulnerability tests should be conducted quarterly, and can be done by in-house IT or outside consultants.They should be done quarterly, or whenever you are incorporating new equipment into your IT network.

What is a pen-test: A pen-test is a simulated attack on a network to test the strength of its security. Usually, the pen-tester will have a specific objective (e.g. “compromise this piece of data...) A vulnerability scan tells you “what are my weaknesses?” and pen­test tells you “how bad a specific weakness is.”

How often should you pen-test: Different Industries will have different government mandated requirements for pen­testing. One of the more broad reaching regulations, the PCI DSS, for example, requires pen-testing on an annual basis. However, it is prudent to go beyond the legalminimum. You should also conduct a pen-test every time you have
  • Added new network infrastructure or applications,
  • Made significant upgrades or
  • Modifications to infrastructure or applications,
  • Established new office locations,
  • Applied a security patch
  • Modified end user policies.

Comments

Post a Comment

Popular posts from this blog

Leave virus protection to your MSP Doctor

Leave virus protection to your MSP Doctor Cyberattacks on individuals and businesses for nasty purposes is nothing new. Stealing data, disrupting business, national activities, and just causing general mayhem has been going on for as long as there has been a digital world to attack. Ransomware, however, seems to stand out as a particularly unique and especially troublesome form of crime. For one thing, once an attack has happened, there is likely nothing to do to retrieve your data until you have given in to the demands of the criminals. As a small- to medium- sized business owner, you should never just rely on off-the shelf virus protection programs as the sole tool to protect your organization against cyber crime. In all cases you should rely on an IT professional to look at every aspect of your IT infrastructure to ensure that everything possible is being done to protect your data. Beyond that, ransomware attacks are a particularly troublesome form of crime that requires special...
Post a Comment
Read more

WFH means more vulnerability to cybercrime

WFH means more vulnerability to cybercrime. Here are some methods to stay safe WFH opens up whole new horizons in terms of flexibility, productivity, and cost savings. But, it also opens your business up a little more to cybercriminals, as you can’t have a hands-on approach to cybersecurity, especially if your employees are using their own devices for work. This blog discusses some mechanisms that you can use to mitigate the risks of becoming a victim of cybercrime in the WFH setup. Multi-factor authentication Instead of using a single password for data access, multi-factor authentication adds more layers to security. If WFH has your employees accessing their work computers remotely, then you simply cannot skip multifactor authentication. Multi-factor authentication works by confirming the identity of the user across 3 areas What they know: Examples include asking for User IDs, passwords, answers to ‘secret questions’, verification of their date of birth, etc. What they have: This incl...
Post a Comment
Read more

Keylogger 101

Keylogger 101 We have all heard of hacking, virus, ransomwares, etc. as they keep coming up in the news every now and then. But, have you heard of keyloggers? In this blog post, we discuss keyloggers and how they can be used to gain unauthorized access to your system, online accounts, network and data. As the name suggests, a keylogger logs keys--it captures the keystrokes you make. In fact, use of keyloggers is not illegal. Keyloggers are perfectly legal and are often used by companies to keep tabs on their employees' IT activities during work and closer home, parents use keyloggers to monitor their children’s computer activities for safety and security purposes. But, as with all tools, even keyloggers can be misused and cause a lot of damage if leveraged by a cybercriminal. By logging keystrokes, the keylogger captures passwords and other confidential information. Imagine someone having access to all your usernames and passwords. Your bank accounts, your shopping accounts, your o...
Post a Comment
Read more