Whether it’s done to meet compliance requirements or just as a general best practice, most organizations are now testing their own networks for security weaknesses, and if they’re not, they should be. The many different types of tests can be confusing for the uninitiated; we will take a look at the common types with their strengths and weaknesses.
It’s not that fixing Critical and High-Severity vulnerabilities is the problem; it’s that the Medium and Low severity vulnerabilities can pose significant risks as well. For any given vulnerability, we need to distinguish between its severity and the risk that results from it being present on a particular system on our network.
Ideally a penetration test should simulate a real world attack; in the real world, the attacker will always have some objective beyond “get into the network.” No matter who the attacker is, they are motivated by something that they are trying to accomplish – and getting into the network is only one step in that process for the attacker.
What does Dr. Park Dietz, one of the world’s foremost forensic psychiatrists, want you to know about mitigating workplace violence? Read his guide on warning signs and prevention, along with features and columns on RFID technology, mobile credential standards, security convergence, CSO interview questions and more in our February 2017 edition of Security magazine.