Relax… A vulnerability scan or penetration tests (PenTests) don’t hurt. There’s no “prep” like with a colonoscopy. But they are just as important.
Sometimes, people want to skip the vulnerability scan and add on their security controls (e.g., Endpoint Detection and Response, Network Monitoring, Firewall, Anti-Virus, etc.).
Sometimes, they think they are protected since they already have a firewall. So why do a vulnerability scan?
When you add security to your system, a vulnerability scan is a critical step to know what you need to fix.
So, what is the difference between a vulnerability scan and a penetration test?
A vulnerability scan looks for, well, vulnerabilities. The weak spots in your system where a breach could happen.
A penetration test simulates an attack on your system utilizing the vulnerabilities discovered in the scan.
In other words, if you were to find out that the lock on your front door was loose, you would check it to see if you could get in from the outside without a key.
Then, if you could, you would fix the lock.
Understanding the environment is an essential first step in planning for how you will proceed with protecting the entire network, including the physical environment and personnel with access to the system.
Cyber security firms can conduct vulnerability assessments and should be able to do a penetration test. However, there are many types of vulnerability scans and just as many penetration tests. The type of penetration test used may depend on the vulnerability scan found, which will be determined by the scope of the vulnerability scan.
The more information you have, the better the design of the cyber security program.
A cyber security firm will perform some vulnerability assessments before implementing security measures. At least, they should. You wouldn’t just put up a fence and assume your house is safe without putting locks on the doors. You need to fix all the weak spots in your system.
If your organization is a part of the critical infrastructure (county government, water facility, emergency management, etc.), the Cybersecurity and Infrastructure Security Agency (CISA) offers free assessments. They have several types and will work with you to determine which you should have. They will then provide a report informing you of their findings and what should be fixed to protect your organization. (Please note: CISA will not make any changes or add security to your system. They will only conduct the assessment.)
Commonwealth Sentinel is here to help you navigate the ever-evolving and growing cyber security threats we all face. We can evaluate your existing IT security and work with your team to improve it. At Commonwealth Sentinel, we stay focused on cyber security so you can focus on other things. Contact us today or sign up for a free consultation.