There are some really terrific pieces of software out there for running a vulnerability scan. I have a lot of respect for all of them. The vendors are working hard to find as many vulnerabilities as possible in order to protect businesses and organizations that need to find and fix those vulnerabilities so that the bad guys don’t get in. A scan is NOT a penetration test. It can be part of one. But it usually isn’t.
Software doesn’t think. It doesn’t perform social engineering. It doesn’t walk down the hall and check everybody’s desks at night until it finds the keyring labeled “server room.” It provides a lot of false positives because it doesn’t account for configurations that have compensating controls elsewhere.
PCI requirements include, for Tier 1 vendors, a quarterly scan of the Internet-facing environment. This is a great idea; kind of like the watchman making sure he rattles the door knobs. But this is a minimum requirement.Is that really all your company can do?
Scans are great for finding the “low-hanging fruit.” They save a lot of manual time and effort to that effect. But don’t let someone sell you a scan and call it a penetration test. Software can only find what you tell it to find. Anyone (literally) can run a scan. You can rest assured that the real bad guys don’t hire “anyone” to write their malware. Someone can spend enormous amounts of time attacking your network, and you can be sure that person has a fairly high skill level. Don’t you want the folks on your side to have equal, if not better, skills?
Next: Why isn’t a scan part of a penetration test?