What is the difference between penetration testing and a cyber security review?
When organisations want to test their cyber security readiness, it can be confusing to know what they need to do. Many testing services highlight vulnerabilities and flaws within their system but do so in different ways. Ultimately, it’s important to utilise a variety of testing techniques to ensure that every aspect of a system is protected.
Initially, we would always recommend a cyber security review followed by internal, external, and, if applicable, web application penetration testing. When we describe these services to organisations, though, they often question the difference between the two.
To provide more clarity, we’ve put together this article to explain how they differ and why each is a vital aspect of cyber security testing.
What is penetration testing?
Commonly called “pen testing”, penetration testing involves launching a simulated cyber-attack on an organisation’s IT systems. The aim of this is to identify any vulnerabilities or exploitative points within the system and, ultimately, test breach security.
Regular pen testing allows businesses to obtain valuable data and insights into their cyber security readiness. It also gives them access to expert, independent feedback on their security, enabling them to make real, actionable changes that can prevent expensive and potentially business-ending data breaches.
Internal testing focuses on an organisation’s internal network infrastructure and is the most common type of testing. Generally, these tests evaluate the strength of intrusion prevention systems or can be more specific, such as testing of segmentation policies within a network.
External testing is focused on the external portion of the network infrastructure. Typically, the “attacker” will attempt to bypass the perimeter protection of a network, such as the next-generation firewall.
Finally, there is web application testing. Whilst this type of testing might include aspects of infrastructure testing, it’s a much more detailed and intense process. This is due to most web applications being complex and publicly available. These kinds of tests may include cross-site scripting, SQL injection, or authentication testing.
What is a cyber security review (CSR)?
A cyber security review is focused on a set of industry controls provided by the Center for Internet Security (CIS). The review assesses the organisation’s ability to meet these controls and where any gaps in their security may be.
It also includes an internal & external vulnerability assessment, a threat modelling exercise, and a dark web/threat intelligence investigation. This allows organisations to see where they currently are in terms of cyber security and provides a clear roadmap for improvement.
These reviews can also be focused on specific systems, such as Office 365 or Azure, depending on what the organisation is using for their day-to-day operations. In these cases, the systems are measured against Microsoft’s best practice guidelines, as well as the CIS controls.
What are the differences between a CSR and pen testing?
The main difference between the two is that a penetration test involves a tester actively trying to find vulnerabilities within a system by launching a simulated cyber-attack. These findings are then reported to the organisation so they can make changes. In a review, it’s more of an analytical approach that involves theoretically reviewing an organisation’s current cyber security position, as opposed to active testing.
Each has its use cases, but both are vital to reviewing and improving an organisation’s defence against cyber threats. Whilst it may be more logical to start this review process with a CSR, it’s highly advisable to have regular external, internal, and web application pen tests to ensure that everything works in practice against a cyber-attack.
If you are interested in finding out more about how a CSR or pen test can benefit your company, get in touch with us. Our cyber security experts are happy to walk you through each service step-by-step and get you started on the road to better cyber security.