Companies that need to meet HIPAA, PCI, PII, and other contractual requirements are required to have their security tested periodically. The tests check security from outside the firewall to see what, if anything, is accessible from the Internet. Some tests even require a look at the inside of the network to determine what is easily compromised if an attacker gains access to a computer on the inside. Tests to meet security requirements fall into two buckets: vulnerability tests and penetration tests. Many companies in our industry use penetration test to describe what are actually vulnerability tests or port scans. What are the differences between the two tests?
Vulnerability tests only test what can be reached on the internal network from the Internet. The first step in a vulnerability test is to run a port scan on the public IP addresses used by a company to discover open ports. Common open ports include HTTP, HTTPS, FTP, RDP, and SMTP. In a vulnerability test, the open ports are tested to see if a computer responds to the common application that is associated with that port. If the computer responds, the response is evaluated to see if well-known exploits could be used to successfully gain access to the computer. From the moment a vulnerability test is started to when it generates the findings, the process is fully automated; there is no human intervention. Vulnerability tests are required for HIPAA and PCI compliance and need to be conducted at least annually. Costs for vulnerability tests range from $100 to $250 per public IP address.
Penetrations tests are more intense. Penetration tests normally also include looking at the inside of the network for vulnerabilities as well as what can be compromised from the Internet. The biggest difference between a vulnerability test and a penetration test is that a penetration test is actively conducted by a highly skilled ethical hacker. The penetration test starts with a vulnerability test. Once the results of the vulnerability test are returned, the ethical hacker manually tries to gain access to the system using the latest techniques available from the dark web. If the ethical hacker is able to gain access, they will progress through the compromised system to see what they can gain access to. This discovery process may take many hours and reveal that all of a company’s data is at risk. The ethical hacker documents their findings and performs a similar test for each discovered open port. Once the external vulnerabilities are tested and documented, the ethical hacker is given access to the internal network to identify security weaknesses on the internal network. A full penetration test ranges from $8,000 to tens of thousands of dollars depending on the size of the company and the number of locations to be tested.
A common problem in our industry is “security” companies advertising a penetration test for $99. Be sure that the $99 test you are buying is really a penetration test; it is most likely only a vulnerability test.
Click HERE for more information.