Does your organization need both vulnerability scanning and penetration testing?

By Katie Taisey

The short answer is: Yes! We hear in the news almost daily about organizations that have fallen victim to Ransomware attacks.  During a ransomware attack, a hacker, or hacking organization, has gained access to a computer network and has encrypted data making it unusable.  The hackers then demand payment for the key, which can be used to unlock the data.  The consequences of a ransomware attack for businesses can be dire, as it has been estimated that half of the small businesses that suffer a cyber-attack go out of business within six months as a result.  It is important, though, to understand that not every cybersecurity breach results in catastrophic ransomware attacks.  Other attacks might involve infecting your computers with malware that turns the device into a bot (short for robot) which is then used as part of a Botnet (network of bots) to perform coordinated larger attacks.  These larger coordinated attacks can be used to launch distributed denial of service (DDOS) attacks or even massive phishing campaigns targeted at much larger organizations.  While a company might not be the direct target of these attacks, being a victim of the malware/bot attack can severely impact both computer and network performance.  So, how do hackers gain access or infect devices with malware?  Hackers often use known vulnerabilities or flaws in systems to launch their attack.  


Vulnerabilities are the gateway for hackers-in-the-wild to gain access to a system. To answer this question, we need to take a step back and understand what exactly a cybersecurity vulnerability is.   According to the National Institute of Standards and Technology (NIST), a vulnerability is “a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”  In 1999 MITRE corporation launched what is known as the common vulnerabilities and exposures (CVE) List.  The CVE List is a list of records – each containing an…