Article 32 of the EU General Data Protection Regulation (GDPR) mandates that organisations implement “appropriate technical and organisational measures” to manage risks. It provides a handful of examples of those measures, but it doesn’t go into detail about what they consist of or why they are necessary.
This blog fills that gap, discussing vulnerability scans, penetration tests and the way they work together.
Many organisations’ network security defences consist only of patch management and antivirus software. Those are essential, but so is reviewing configurations, third-party applications and hardware. This is what vulnerability scans do.
A vulnerability scan is an automated process that finds and alerts organisations about known weaknesses in their systems. There are two types of scan: external and internal. External scans look for ways in which malicious outsiders can exploit the organisation, and internal scans look for threats inside the organisation, such as the potential for privilege abuse.
Organisations should conduct regular vulnerability scans to secure many of the most common security flaws that lead to data breaches. However, it’s important to learn how to interpret the results of a vulnerability scan. Many non-security professionals see that risks are often rated as ‘low’ or ‘medium’ and infer that the organisation’s defences are reasonably effective. But almost all vulnerabilities can be leveraged by criminal hackers. To stop that from happening, you need to conduct regular penetration tests.
Penetration testing is essentially a controlled form of hacking in which a professional penetration tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the organisation’s networks or applications.
Whereas a vulnerability scan can be automated, a penetration test requires a certain level of expertise and hands-on work. A good penetration tester can craft scripts, change the parameters of an attack and tweak the settings of their tools.
Testing can operate on application or network level, and the scope can be adjusted based on departments, functions or certain assets. Alternatively, tests can examine the entire infrastructure and all its applications, although this is usually too impractical.
Testing to fit budgetary requirements
Penetration testing has sometimes been erroneously referred to as an expensive way of finding out where you need to spend more money. However, without testing, organisations expose themselves to data breaches and cyber attacks, which will almost certainly cost more than a penetration test.
There are also ways to reduce the cost of penetration testing. For example, it’s not always necessary to test every aspect of an application or network. That would only be required if you stored highly sensitive information or had a reason to think you are being targeted by criminal hackers.
Free penetration testing webinar
You can learn more about penetration testing – in particular its relevance to the GDPR – by watching Compliance solutions: How can penetration testing support your GDPR project?
This free webinar includes:
- An explanation of the GDPR’s requirements for security testing;
- Guidance on penetration testing to inform your compliance with the GDPR;
- Advice on choosing the right test; and
- An example of what a GDPR testing regime might look like in practice.
The webinar will take place Wednesday, 2 May 2018 at 3:00 pm (BST). If you are unable to attend, it will be available to download from our website.