“All licensees must perform penetration testing of their systems, applications, and network devices to verify the robustness of the security controls in place at least twice a year. These tests must be used to simulate real world cyber-attacks on the technology environment and must:
The new cyber security module applies to money changers, insurance companies and investment houses. The CBB had mandated that all these licensees complete a gap assessment with an action plan versus the cyber security module by 31st Dec 2021. The new cyber security requirements are in force from 1st May 2022.
Basically, Vulnerability Assessment and Penetration Testing (VAPT) are two different methods of vulnerability testing. Both the tests try to achieve a different goal. However, to achieve a comprehensive vulnerability analysis; they are often combined as one complete project. The tests have different strengths that delivers a holistic vulnerability analysis of the information security within an organization. While the objective remains same, they are two different tasks.
Vulnerability assessment is an automated method using various tools to hunt down vulnerabilities. The process is to identify and quantify known security vulnerabilities in an application or network. A vulnerability scan is conducted by analyst while residing within the network. It can also be conducted remotely via a VPN connection. Search for more than 50,000 vulnerabilities can be conducted via a high-quality scan using some of the best-in-class tools. The vulnerability assessment helps in providing appropriate mitigation procedure thereby eliminating the weakness. Vulnerability assessment is a quick automated task that can be completed within a day or two. Vulnerability assessment is also known as vulnerability scan.
A network vulnerability assessment tests all the network equipment like routers, firewall, ethernet switches, WiFi, desktops, laptops etc. Some security standards like PCI DSS, HIPAA, FedRAMP, SOC 2 Type2, etc. requires business to conduct network vulnerability assessment to ensure that customer data is well protected.
Penetration testing is conducted to simulate a hacker’s attempt to gain access to the network or application. The attack can be from external or internal source. It is conducted by Ethical Hackers who are trained and certified to conduct to conduct penetration testing. Penetration testing can deliver information of how damaging a flaw in the network or application can be used by real hacker in a real live scenario. Penetration testing are used to find loopholes can cause damage or which can’t. The objective of penetration test is to exploit systems and gain access to critical or sensitive data.
As both vulnerability assessment and penetration testing are of prime importance, it should be conducted by reputable companies who have excellent track record. Vulnerability scans conducted by an Approved Scanning Vendor (ASV) delivers high-quality result. The experience and knowledge by the approved companies assist in identifying blind spots and beefing up the company information security defenses against threat actors..
