It has become a very common situation, each time you turn around, there is high profile Data breach in the news. Most of the time, it would be involving Cardholder Data Compromise. This kind of Targeted Breach has been rapidly increasing worldwide.It is important to focus if the retailer is being compliant with Payment Card Industry Data Security Standards (PCI DSS). If a retailer is not compliant, he is liable to pay fines and even could be suspended from accepting cards.
Now, lets focus on Information Security. It is important to make sure that not only information but all your virtual components needs to be secure. Further to security, basically they should qualify with Penetration and Vulnerability Testing
Often there is a confusion in understanding the differences between Penetration Testing vs Vulnerability Testing. This Confusion arises because these two types of tests are similar. Both these tests are used in identification of weakness in your Network and Application.
Vulnerability Test identifies weaknesses that an hacker might be able to exploit based on standard Methodologies. While Penetration finds weaknesses by having an "White Hat" or "Ethical Hacker", who actually exploits them by penetrating into the required Application or Network. Pentesting requires customization based on the target and is more Expensive than Vulnerability Scanning.
Triad Square Infosec performs expertised Vulnerability Test together with Penetration Testing under VAPT Service for Organizations Globally.
For a Clear Understanding on the differences between Vulnerability and Penetration Testing, follow the side-by-side comparison table
| Item | Vulnerability Testing | Penetration Testing |
|---|---|---|
| PCI DSS Requirements | 11.2 | 11.3 |
| Goal | Identify weaknesses that could be exploited by attackers internal and external. | Determine if unauthorized external access to key systems and files can be achieved. |
| Required Resolution | Rescan as needed, until all “high-risk” vulnerabilities are fixed. | Retest as needed until no vulnerable access points are found. |
| Who performs? | For internal scans: Qualified internal resource or a qualified third party.For external scans: An Approved Scanning Vendor, approved by PCI SSC) | Qualified internal resource or a qualified third party. |
| Automation | Can be fully automated because they are based on standard methodologies | Cannot be fully automated because they require customization for target environment and requirements. |
| Documentation Requirements | Documented Scope.Document Risk Ranking process | Results should be retained |
| Scope | Limited to Analysis only | Tests could be performed in External and Internal Environments by Exploit |
| Frequency | Quarterly and after any significant change in the Structure | Run internal and external tests annually and after significant infrastructure and application upgrades |
| Components | Servers, routers, switches, workstations, databases, virtual machines or web applications | Social engineering and the exploitation of exposed vulnerabilities, access controls on key systems and files, web-facing applications, custom applications, and wireless connections. |
| Methodology | Must conform to standard practices | Must be customized for the targets systems and environment |
yes.. perfect difference given the scan vulnerability online is fully automated as they are depend on different methodology.
ReplyDeleteWhat is the scope of ethical hacking in India?
ReplyDeleteJust taking a ethical hacking course wont give you any great scope, while you may be able to make considerable income consulting for small companies if you want to make it big become a real hacker and learn the art in and out and then become a cyber security expert. If you want more details to contact us : Livewire-Velachery,9384409662. http://bit.do/eBBiJ