Too often, organisations rely on vulnerability scans to identify weaknesses in their organisation.
They are told that vulnerability scanning is as good as penetration testing and that it will be enough to meet the compliance requirements of the PCI DSS (Payment Card Industry Data Security Standard).
However, scanning and testing perform two different jobs, and the PCI DSS mandates that you conduct both regularly. Anyone who says otherwise is wrong.
What is vulnerability scanning?
Organisational vulnerabilities are unavoidable. Not only because of frequent changes to applications and systems but also because firewalls are designed to leave specific ports open for email and other Internet-based services.
However, organisations should always know where these vulnerabilities are because it allows them to address weaknesses that can be fixed and prepare for attacks against those that can’t.
That’s where vulnerability scanning helps.
As the name suggests, vulnerability scans root out an organisation’s weaknesses.
Organisations can use various tools, each of which essentially runs a series of if-then scenarios designed to identify system settings or actions that contain known vulnerabilities.
A completed scan will provide a logged summary of alerts for the organisation to act upon.
The PCI DSS mandates that vulnerability scans be conducted quarterly or whenever significant changes are made to the organisation’s networks.
What is penetration testing?
Penetration tests are much more rigorous than vulnerability scans. They are designed to identify weaknesses in an organisation’s system architecture and exploit them.
This demonstrates to an organisation exactly how a cyber criminal would infiltrate its systems and what information they could access.
Armed with this knowledge, organisations can pinpoint how adequate their security controls are and which areas need improvement.
The testing process can be invasive because your organisation is under attack.
Therefore, you’ll need to conduct the test outside of working hours or let the relevant people know about the test in advance.
You’ll also need to hire a qualified professional to oversee the process, as penetration testing involves a very nuanced set of skills and must be performed by someone bound to ethical standards.
If someone in your organisation performed the test, they might influence the test to reflect their own bias.
Worse yet, they might use the test as a dry-run for an insider attack.
There are four types of penetration test, each with its own focus:
- External network penetration tests
- Web application penetration tests
- Wireless penetration tests
- Social engineering penetration tests
Organisations don’t need to conduct penetration tests as often as vulnerability scans. Once a year or whenever system architecture is significantly altered should suffice.
Security testing and the PCI DSS
For more advice on the PCI testing requirements, look at our green paper: Security testing and the PCI DSS.
This free guide unpacks the complexities of the Standard, helping organisations understand how they can achieve and maintain compliance.
It provides practical guidance on how to test your systems and processes’ security and better protect the payment card information you store.