One of the most misunderstood components of the Trusted Partner Network (TPN) Framework is the need for companies to perform Vulnerability Scans and External Penetration Tests.
At a minimum, these scans/tests must be performed annually as part of the TPN certification process. It is important to recognize that these two tests are unique, separate, and necessary to safeguard your company’s intellectual property and other data.
TPN Requirement for Vulnerability Scans
The Vulnerability Scan is designed to programmatically scan a range of IP addresses for known weaknesses in a company’s systems, networks, and IT infrastructure.
TechPro security professionals leverage tools including:
• Nessus (as shown in the above video)
These and many other tools may be deployed virtually or through a preconfigured appliance or in the cloud. Because of the use of automated tools, Vulnerability Scans are a lower cost alternative that impacts a wider number of devices, networks, and systems within any organization.
Because of the lower cost associated with Vulnerability Scans, tests can be run as a validity check for any minor changes made to your infrastructure. Through the use of these off-the-shelf tools, the TechPro team analyzes the results of known vulnerabilities and identifies (not exploit), documents and assigns a severity rating (if applicable) along with simple remediation steps.
TPN Requirements for Penetration Testing
The Penetration Test (PEN Test) goes further to exploit the depth and breadth of vulnerabilities in a company’s hardware, software, and network architecture. The PEN Test is conducted by Tech Pro “white hat” security professionals who leverage known hacking tools and techniques to expose just how extensive any potential breach extends into your organization.
Tech Pro security pro’s also developed test scripts which are customized based on industry-specific needs.
Because of the time and effort associated with PEN Testing, the cost can be significant. Tech Pro works with its clients to assess risk tolerance and to assign a value of importance to data and systems that should be tested targeting most of our efforts toward the highest value targets.
Additionally, PEN Tests often result in network and system outages therefore testing is often limited, with a client’s permission, during nights and weekends in order to minimize the impact on day to day operations.
The results of any test will result in a PEN Test Report that identifies specific target/data that were compromised, the method used to attack and the security flaw exploited.
TechPro and its partners are well positioned to conduct these tests and more importantly, our security professionals are available to help remediate identified vulnerabilities and establish additional layers to any defense in depth security strategy.