Testing times: which is the best methodology for you

Find out which is the best testing methodology for you and your business.

UK businesses suffered 22,800 data breaches last year, with the average cost or a breach increasing year-on-year to a staggering £2.77 million, according to recent data from the Ponemon Institute. This equates to $179 (£138) per breached record. With the frequency and costs of a breach showing no sign of abating, savvy UK businesses are wanting to do all they can to protect themselves. But how? We look at the differences between employing vulnerability scanners, penetration testing, bug bounty hackers and managed scanning services to root out potential areas of infiltration.

Vulnerability scanners
As the name suggests, vulnerability scanners scan your network and look for vulnerabilities. They then score any vulnerabilities they find so that they can be prioritised. Scoring can either be something bespoke for that scanner or from a Common Vulnerability Scoring System

Vulnerability scanning is an entirely automated process that aims to identify as many vulnerabilities as possible. As breadth is the aim, it stands to reason that a ‘whitebox’ approach should be taken with contextual information and credentials given to the scanner wherever possible to ensure as many issues as possible can be discovered. 

Vulnerability scans are generally easy to administer and easy to understand. However, they do have limitations. Not least of which due to the fact they have no inbuilt intelligence so work very much like a flow chart. So, like when you are filling out a form for your car insurance, if you don’t fill in every field correctly it won’t let you continue to the next page. Likewise, scans can stall and become incomplete.

Penetration Tests
Unlike vulnerability scans, penetration tests are human-led and goal-orientated. Generally, the intention is to chain together discovered vulnerabilities in a depth-first assessment of the network.

Whilst these assessments may utilise automated tools, the aim isn’t simply a complete list of all vulnerabilities, but to discover how far an attacker could infiltrate your network. The output is most likely example paths that an attacker could take to fully compromise a company’s systems.

Penetration testing should be conducted with an informed defensive team and set up in such a way that systems can be efficiently attacked, such as supplying a pen tester with target IP addresses. This may be contrary to those that feel the defensive team should not be informed; however, assessments should aim to accurately determine the security of a single aspect of the target system at a single point in time. 

A penetration test is undoubtedly a deeper dive into your systems than a simple vulnerability scan and uses a lot more intelligence. However, this manual application of intelligence can come at a price and costs can spiral out of control. Especially in highly regulated industries such as financial services when everything (even a change of font) needs to be thoroughly tested before being allowed to ‘go live’. Because of this, most companies only run a penetration test annually, so whilst providing a useful output, it can be out of date as soon as it is done.

Bug bounty hunters
As you may have read in our blog ‘Boom time:  a rise in the white hats’, many a hacker has moved away from the dark side in recent years to use their skills for good and become a bug bounty hunter. Encouraged by a rise in bug bounty programmes, bug bounty hunters can be your information infrastructure’s greatest friend.

The main problem with turning to a bug hunter to discover vulnerabilities in your network is that a company needs to have strong internal processes to be able to handle them. After all, you are opening your systems to often anonymous individuals and inviting them to attack. Further, when a bug hunter finds a point of infiltration, the report they provide can vary wildly in quality. You, therefore, need someone internally to interpret them accurately and come up with an action plan to quickly close the gap. In addition, you need to pay up quickly otherwise you get a bad reputation that will quickly spread around the bug hunter community – a community you don’t want to get on the wrong side of.

Managed scanning service
If you require regular, deep testing of your systems with human-based intelligence and are unsure you can trust the bug hunter community, then a managed scanning service (MSS) might be best for you. An MSS is undertaken by a team of information security professionals and is designed to continuously assess your online assets for vulnerabilities and provide alerts when new ones are detected.

The expertise of an MSS team means they can manage the scanning process and analyse vulnerabilities ‘on-the-fly’. Through continuous scanning of both perimeter or cloud services for vulnerabilities, an MSS can ensure optimum security throughout your technology estate. However, for best results ensure that the scan is not just limited to infrastructure scanning for known vulnerabilities but also capable of finding application specific vulnerabilities introduced in bespoke systems.

Regular scanning for potential areas of infiltration is essential to maintaining a strong security posture in today’s ever-changing threat landscape. However, although scanning can be an automated process, there are two key challenges to a successful scanning program: Ensuring scan quality and interpreting the results.

A managed scanning service (MSS) is a middle ground between vulnerability scanning and penetration testing that is often the best solution for UK businesses wishing to keep their systems safe from the latest wave of cyber attacks.

Key takeaways:

  • The average cost of a data breach has increased to £2.77 million
  • Vulnerability scanning is an automated process that aims to identify as many vulnerabilities as possible
  • Penetration tests are human-led and goal-orientated, chaining together discovered vulnerabilities in a depth-first assessment
  • You need strong internal processes to work with bug bounty hunters
  • A managed scanning service (MSS) is undertaken by a team of information security professionals and continuously assesses your network for vulnerabilities