Understanding Scans, Assessments and Penetration Testing

There is a lot of jargon floating around regarding security assessment and penetration testing offerings. Penetration testing is often used as a catch-all for any type of security service performed by an organization. A true penetration test involves three distinct stages that build upon each other: Scanning, Assessing and Penetrating. It is important to understand the differences to ensure a properly scoped and delivered service. InteliSecure provides services around each of these areas.

Scanning

Scanning refers to the process of running a series of automated tools against IP addresses or IP ranges to target and identify known and potential vulnerabilities and/or unpatched or misconfigured systems.

Scans create a high-level, unvalidated overview and generic reporting of targeted environments. The tools may be commercially available or open source and free. InteliSecure chooses to use open source versions of vulnerability scanning tools as these are the tools commonly used by attacking parties. The purpose of a vulnerability scan is to identify known vulnerabilities so they can be remediated.

Assessment

More in-depth than scans, the assessments take the information identified through initial scans and apply manual effort to validate those findings and confirm that potential vulnerabilities do in fact exist.

Building on the information collected during a scan, assessments include manually conducting additional checks and validations to ensure the attack vectors identified with automated scans are viable and that the noted ports and patches being discovered are actually pertinent to the target system.

When conducting an assessment, InteliSecure reduces false positives by validating scanning results up to the point of potentially penetrating the system or confirms the presence of default credentials by logging into the systems. Since this is a manual review of collected information, additional time is needed to validate, eliminate and collect evidence of potential vulnerabilities within systems for reporting purposes.

Penetration Testing

Once a vulnerability has been identified and validated, the final stage is penetration. This final stage is comprised of a manual attempt to exploit any given aspect of an organization’s IT or physical infrastructure by taking advantage of vulnerabilities identified in systems, escalating privileges, gaining control of the network and stealing sensitive data.

Non-technological Penetration Tests

Penetration tests do not need to be exclusively technological in nature. Additional types of tests include physical and social engineering evaluations.

Physical security assessments attempt to infiltrate an organization’s facilities and information through a variety of means, such as gaining access by evading security measures (e.g. secured doors, motion sensors, checkpoints, and other, similar countermeasures).

Social Engineering relates to coercing individuals within an organization to inadvertently grant access to someone not authorized to have such permission. Examples of Social Engineering may include phishing, phone campaigns, and impersonation. Social Engineering may be a component of a physical security assessment and layered into the approach.