The SANS Top 20 Critical Security Controls outline the 20 most critical controls that an organization should implement to ultimately reduce their overall risk of suffering a data breach. These controls were originally developed in 2008 by the NSA at the request of the Office of the Secretary of Defense. Since that time, the controls have undergone several revisions with leaders from the US Government, International Government Leaders, and private organizations from around the world. These controls are widely considered essential and some estimates have shown that by implementing these controls, organizations are able to mitigate their risk by 94%. While all the controls are important, there are two specific CSC's that are often confused, misused, and not implemented correctly. These CSC's would be:
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 20: Penetration Testing and Red Team Exercises
You will often hear people talk about Penetration Testing when they actually mean Vulnerability Scanning. You will also hear people talk about a Vulnerability Assessment when they actually mean Penetration Testing. Why is there so much confusion on this topic and these services? That I honestly don't know but I want to try and give you some tips to try and differentiate between the two. We have written a blog post that covers this topic in greater detail which you can find here but this should give a decent, quick overview.
Goals - A Vulnerability Assessment identifies vulnerabilities that are present on your network hardware or your web applications. A Penetration Test attempts to exploit those vulnerabilities and "break in" to your network
Method - A Vulnerability Assessment uses a software program, such as Qualys, to identify vulnerabilities that exist. A Penetration Test is largely a manual process that involves using some software but also writing some scripts to attempt to gain access
Difficulty - Vulnerability Scanning is easy, the software does all the work for you, for the most part. Penetration Testing is much more time consuming and ultimately more difficult due to the time necessary and creativity required to attempt to gain access to your network
There is no doubt that these terms are confusing and understanding the difference can mean being in compliance with a regulation and out of compliance with a regulation. As part of our Monthly Webinar series in February, Compass will be presenting on the difference between these two services, why this is important to understand, and some best practices you can implement in your organization. Details and the link to register are below and we hope to see you later this month to help clear up the confusion around these services.
What - Vulnerability Assessment vs. Penetration Testing: What's the Difference Webinar