One of the things that IT managers and network security specialists learn early on is that vulnerability scanning with free or open source tools do not work or are generally not enough when it comes to protecting your computer network and identifying its vulnerabilities. Most network managers are lulled into a false sense of security after a relatively uneventful free vulnerability scanning only to get jolted by a hacking attack.
Reason #1 : Vulnerability scanning simply does not protect any network from malicious attacks. It cannot proactively detect your network’s vulnerabilities; it can only find previously detected weaknesses. So unless your scanner has been updated for every possible weakness, which is close to impossible, it is not going to prevent attacks.
Reason #2: What is more, even if someone gets to identify an exploitable hole in your network and informs your scanner vendor about it, it generally takes around one to three months to get a patch for it. So even if a weakness is identified, there is still that span of time that your network will be vulnerable.
Reason #3: More than merely being reactive, vulnerability scanners are also largely inaccurate. Security experts have found that these scanners are only right 30 per cent of the time: producing more false alarms than real weaknesses in your system. On the other side of the coin, most scanners do not detect most weaknesses that are found in a penetration testing performed on the same system. This is easy to verify. Get a free trial of a vulnerability scanner from the Internet. Scan your systems and check your systems, you would certainly find more than a handful of inaccuracies in the scanner results.
A penetration test is the only way to be sure that you are aware of your system’s vulnerabilities. A thorough penetration test done manually would be able to uncover weaknesses before people outside your organization do, and allows you to plan for any hacking attack that might arise by using that weakness. Moreover, it gives you an overview of whether your systems have been properly configured and exposes flaws in both hardware and software you use. All these security risks are plugged even before they do your company, network and data any damage.
This is a level of thoroughness that you can not achieve with simple and automated vulnerability scanning. Scanners use standard signatures or scripts to do their work making them unfit to run on different networks. Networks are set up differently from one another, so a cure-all tool is not enough.
A penetration test can simulate real life attacks on your network. A hacker has the know-how and the flexibility to find your system’s flaws. Penetration testers can also perform research on your network, in a way that vulnerability testing can not. Have a little more on the difference between Vulnerability Assessment and Penetration Testing.
Vulnerability scanners are helpful tools for a seasoned network security expert. It helps in keeping your system updated and in verifying some security threats. Vulnerability scanners are totally indispensable when you manage a large network, saving you time and effort but it should not be the ONLY thing you do to protect your network, data and company.
{ 1 trackback }
{ 2 comments… read them below or add one }
So you mean to say we should all stop doing VA .. and just do Pen tests .. Wonder how pen-tests know about vulnerabilities, if they don’t scan for vulnerabilities.
Hmmm. …
Lets see if Pen-tests could live up what the 3 reasons.
R#1 Pentests also will only CONFIRM the existence of the vulnerability and that its exploitable, BUT still doesn’t protect the network.
R#2 So how will the patch availablity or its unavailibility be solved by Pen-testing. If you have a vulnerability which has been proved to be exploitable by a pen-test AND still you don’t have a patch — you still at square 1.
R#3 Yes agree false positives is a problem with VA tools and pen-testing can help confirm a vulnerability but thats not a reason why VA tools work. Without VA you couldn’t even think of pen-testing. Could you have done the pen-test without the knowledge of the vulnerability.
Point is VA is not the end all. Pen-testing can help in confirming the vulnerability or not but saying VA don’t work is not correct. Its like you want to show humans bones can withstand more than twice the human body weight. I don’t need to lift a 150 kg to show it everytime. If its proved, people do get the message.
Love to hear your comments.