Relax…Vulnerability Scans and Penetration Tests (PenTests) don’t hurt. There’s no “prep” like with a colonoscopy. But they are just as important.
Sometimes people want to skip the vulnerability scan and add on their security controls (e.g., Endpoint Detection and Response, Network Monitoring, Firewall, Anti-Virus, etc.).
Sometimes they think that they are protected since they already have a firewall. So why do a vulnerability scan?
When you add security to your system, a vulnerability scan is a critical step to know what it is you need to fix.
So what is the difference between a vulnerability scan and a penetration test?
A vulnerability scan looks for, well, vulnerabilities. The weak spots in your system where a breach could happen.
A penetration test simulates an attack on your system utilizing the vulnerabilities discovered in the scan.
In other words, if you were to find out that the lock on your front door was loose, you would check it to see if you could get in from the outside without a key.
Then, if you could, you would fix the lock.
Understanding the environment is an important first step in planning for how you will proceed with protecting the entire network, including the physical environment and personnel with access to the system.
Cyber security firms can conduct vulnerability assessments and should be able to do a penetration test. However, there are many types of vulnerability scans and just as many penetration tests. The type of penetration test used may depend on the vulnerability scan found, which will be determined by the scope of the vulnerability scan.
The more information you have, the better the design of the cyber security program.
A cyber security firm will perform some vulnerability assessments before implementing security measures. At least they should. You wouldn’t just put up a fence and assume your house is safe without putting locks on the doors. You need to fix all the weak spots in your system.
If your organization is a part of the critical infrastructure (county government, water facility, emergency management, etc.), the Cybersecurity and Infrastructure Security Agency (CISA) offers free assessments. They have several types and will work with you to determine which you should have. They will then provide a report informing you of their findings and what should be fixed to protect your organization. (Please note: CISA will not make any changes or add security to your system. They will only conduct the assessment.)
CYBER NEWS
Hackers impersonate cybersecurity firms in callback phishing attacks
Hackers impersonate cybersecurity firms in callback phishing attacks
Hackers are impersonating well-known cybersecurity companies, such as CrowdStrike, in callback phishing emails to gain initial access to corporate networks.
www.bleepingcomputer.com • Share
PayPal-themed phishing kit allows complete identity theft
PayPal-themed phishing kit allows complete identity theft
By misusing the PayPal logo and general design, the phishing kit is aimed at collecting info that can be used to steal the victims’ identity.
www.helpnetsecurity.com • Share
U.S. House Appropriators OK $15.6B in Cybersecurity Funding
U.S. House Appropriators OK $15.6B in Cybersecurity Funding
The majority of the federal funds, around $11.2 billion, will go to the Defense Department, while $2.9 billion will go to the Cybersecurity and Infrastructure Security Agency to bolster U.S. cyber defenses.
www.govtech.com • Share
TIP OF THE WEEK
Multi-State Information Sharing and Analysis Center (MS-ISAC)
The Multi-State ISAC is an information-sharing environment for state and local government and public agencies to share cyber security information, ideas, and collaboration.
They provide education and training, threat intelligence, webinars, incident response assistance, and more.
The stated mission of the MS-ISAC is:
To improve the overall cybersecurity posture of U.S. State, Local, Tribal, and Territorial (SLTT) government organizations through coordination, collaboration, cooperation, and increased communication.
It is free to join for employees or representatives of state and local governments, public school organizations, public institutions of higher education, authorities, and any other non-federal public entity in the US.
CYBER HUMOR
VOCABULARY WORD
Vulnerability Scan: Identifying security weaknesses in systems and their applications.
TWEET OF THE WEEK
Commonwealth Sentinel
Commonwealth Sentinel
@CwealthSentinel