When Scanning Just Isn’t Enough: Why All Businesses Need a Full-Scope Pen Test
Many companies confuse the important but separate roles that vulnerability scanning and penetration testing play in their security posture. Some companies, especially in the PCI compliance world, rely too heavily on automated scanning. However, vulnerability scanning is still a requirement for anyone as even the best pen test will not be enough to secure your entire network by checking for every single patch.
A real, manual penetration test, also called a Full-Scope Pen Test, involves the time (often weeks) of a highly skilled ethical hacker or team, which explains why the cost is typically so high. They will use their knowledge and experience as well as a variety of tools to test your company’s overall susceptibility to a cybersecurity attack. While there are some very cool Breach and Attack Simulator (BAS) programs available today, Machine Learning and Artificial Intelligence (AI) are not up to the level of sophistication that a full scope pen test by an ethical hacker will bring you.
There are some great things happening with Machine Learning in the security world, especially on the defensive side, but on emulating an offensive security engagement we are probably 10-15 years from replacing humans doing your pen test. This is because an experienced pen tester will know when to try something a different way because something failed slightly, and a different tool is more fitting. Just as companies have network engineers on completely separate teams from their software developers, ethical hackers have their own specialties and will work as a team to test different areas of your full security posture.
There are also aspects of a full scope pen test that are probably even more than 15 years from being replaced by AI. A good pen tester will try your physical security to make sure doors are locked and secure locations
like the server room are only accessible to certain people. They will also try social engineering your employees via email or phone to gather information or trick employees into giving up their credentials. An ethical hacker may even combine social engineering with physical security and see if an employee will hold the door for someone who should not be there. All of these are things a scan could not test.
Automated scanning and manual pen tests both have their role in the security risk cycle but should not be confused or substituted for each other. Use scanning to get a more frequent report on your security position and to make sure you have all current patches in place. Use pen testing to make sure there are not flaws you have not considered and to test your technology teams’ processes and response to attack.