What is the difference between a scan, pen-test, and risk analysis?
A network vulnerability scan probes devices on your network to identify possible weaknesses.
A network penetration test finds weaknesses in your network and then exploits them to show how hackers can get in and what they can do once they’re inside.
A risk analysis looks at your security safeguards – not just technical but also physical and administrative controls – and gives management insight into threats and exposures.
A compliance assessment measures how well your processes, documentation, and records address regulations and standards (like HIPAA, PCI DSS, SOC 2, NIST SP 800-53, and ISO 27001).
Loptr’s Virtual Security Team includes vulnerability scans, risk analysis, and compliance assessment and pen-testing is an option, too. We also provide another alternative – Loptr’s security hackathon – where we train your team and then test your security alongside them. Sessions cover topics like vulnerability scanning, pen-testing, web hacks, phishing, social engineering, and wireless testing.
Why do we (often) discourage penetration testing?
It’s not that pen-testing isn’t important but, if you are just starting to formalize your security practices, it shouldn’t be the first thing that you do. Why spend money on a report that proves that we can get into your network and facilities when you already knew that someone could? We think you should put your money towards good security rather than validating bad security.
Pen-testing should come later, after the rest of your security program is up and running. If you have to comply with PCI DSS, pen-testing will be a requirement. We do include pen-testing as a VST option and, of course, we’ll provide pen-testing as a stand-alone service as well.
Why do we (often) discourage compliance assessment?
Just like pen-testing, we don’t want you to spend money on a report that shows how you don’t meet compliance requirements if you already know you don’t. We think you should invest in a good security program, designed to meet your compliance needs, rather than validating what you don’t do. As we help you build your security program, we’ll provide a dashboard to track how you’re doing towards compliance. We look at planning, design, implementation, monitoring, and recordkeeping – key to any compliance effort (whether HIPAA, PCI DSS, SOC 2, NIST SP 800-53, or ISO 27001).
Of course, if you’re feeling confident that you’ve covered most of your compliance requirements, we provide compliance assessment as a stand-alone service, too.
What is included in Loptr’s penetration testing?
A true penetration test is a lot more than an automated network scan. Loptr offers pen-testing (stand-alone or as a VST option) when you need to test how hackers might get in and what they could do if they were inside. We use automated and manual techniques to identify and validate network, system, and application vulnerabilities. Our pen-testing can cover different views – like unauthenticated intruders and authenticated insiders – and can give you both “black box” and “white box” perspectives.
We typically begin with a “black box” open source intelligence investigation to show what attackers can learn about your organization. We then review this information with you, map your entire network to define your “attack surface”, and then work with you to select appropriate attack scenarios based on significant targets and identified weaknesses. Our testing conforms to the guidance set forth in the National Institute of Standards and Technology (NIST) Special Publication 800-115, Technical Guide to Information Security Testing and Assessment.
Like the Virtual Security Team tech’ review report, our pen-test report is short and to-the-point. It includes a 1-page dashboard, a consolidated action item list, and tables with insights and details. A separate addendum provides screen captures and other evidence to support our findings. If you hate 300-page, computer-generated reports, you’ll love Loptr’s approach.