This year’s Verizon Data Breach Investigations Report (DBIR) has highlighted several important developments regarding the changes in security breaches and incidents over the last year, as well as the different attack vectors. Read AMATAS’ expert comparison – Manual vs. Automated Penetration Testing.
For one, web applications are currently the dominant attack vector. They overshadow every other type of attack vector by far. As for attacks, ransomware, which we covered in a recent blog post, has more than doubled its frequency since last year, and currently constitutes about 10% of breaches. This shift marks the biggest change in the types of attacks that have been launched over the last year.
As the report also notes, organizations need to patch smarter, not harder. But to do that, they must of course be aware of the vulnerabilities that exist in their systems. This raises the question of how to best establish where dangers lurk that need to be addressed.
Penetration testing is one of the ways in which this question is resolved with experts recommending either manual or automated testing. This isn’t necessarily an either/or question since these approaches aren’t interchangeable and each of them has its set of advantages and disadvantages. For more on that, see our blog post on Why manual penetration testing cannot be replaced by automated scanners!
In this blog post, we will focus on the different advantages and disadvantages that each approach has to offer and why penetration testing as a whole is important. Want to know more? Keep reading!
- What is manual penetration testing?
Penetration testing, sometimes also called ethical hacking, is a type of vulnerability assessment of an organization’s systems via a deliberate and carefully planned attack. In its manual variety, penetration testing is performed much in the same way as a malevolent attack might be but with the intention of helping the organization.
Information about the system’s vulnerabilities is collected by the tester or testing team. The system’s vulnerabilities are carefully assessed and a whole assortment of tools are put to use to exploit these vulnerabilities as efficiently as possible in order to breach the system’s defenses and compromise its data. After the simulation of the attack, a report is created which highlights the findings of the attack and offers steps toward remediation of any possible vulnerabilities that were found.
The advantages and disadvantages of manual penetration testing
Manual testing offers several distinct advantages. These include:
- Allows for in-depth and detailed testing of all 7 security layers of the target system
- Utilizes a variety of different tools to assess and test
- Reveals unexpected vulnerabilities thanks to the creative combination of tools, skills, experience, and information provided by the organization that has requested the test
- Includes pivot attacks – i.e. attacking one system via another
- Eliminates false positives effectively
- Required for a robust and extensive security review
- Provides a snapshot of an organization’s security status
- Offers an exhaustive report on all vulnerabilities in the target system
Despite its many benefits, manual penetration testing is not without its disadvantages. The potential drawbacks of opting for a manual test include:
- Testing all systems can be cost-prohibitive
- Manual testing is a slower process and cannot be repeated regularly
- Results can vary between testers due to a difference in experience and skills
- Errors or omissions may occur, leaving certain vulnerabilities intact
The above are the main pros and cons of conducting a manual penetration test on your systems. While manual testing cannot exhaust all possible cases, it provides a great degree of depth and detail which can result in a significant increase in applications’ security.
- What is automated penetration testing?
Automated penetration testing is a bit of a misnomer as most automated tools are actually scanners rather than tools that test the system by attacking it. Most such tools are more accurately called vulnerability scanners. In addition, automated exploit tools are also utilized, in order to test the vulnerabilities found by a scanner, due to the potential for false positives.
New vulnerabilities are discovered daily, and organizations need to be able to quickly establish whether they present a danger to them. This is where vulnerability scanners come in.
The advantages and disadvantages of automated penetration testing
Given the difference in scope, automated testing has its own set of advantages when compared to manual testing. Here are the benefits that automated testing offers:
- Generally cheaper to perform
- Tests can be run regularly and are completed quickly
- New vulnerabilities can be picked up more easily
- Vulnerability scans can be run during the development and security review phases
- No manual input or external assistance is required to run a scan
- Allows for benchmarking over time
- Large amounts of data can be collected and analyzed
Naturally, vulnerability scanners also have disadvantages and limits that you must keep in mind when vetting these options. The cons of choosing automated testing include:
- Cannot test all 7 security layers of a system
- Has a higher chance of arriving at false positives and negatives, and may not be able to verify them
- Cannot perform pivot attacks and can only scan for test cases provided by the vendor
- Lacks human expertise, experience, and skill, and cannot approach problems creatively
- Cannot be used for web-applications
- Cannot be used convincingly during a security review
- Reports are pre-generated or created by unskilled personnel, and therefore lack depth and details
Automated penetration testing tools are significantly easier to implement and can be used regularly to keep track of vulnerabilities. Unfortunately, they cannot provide the depth that manual testing offers. So, which solution is better?
- What’s good for you?
Ultimately, whether you need manual or automated penetration testing depends on your scope and on your business needs. Ideally, these two approaches are combined.
Manual testing will help you to run a detailed analysis of your system’s current vulnerabilities and establish the measures that you need to take to mitigate these. Automated testing, on the other hand, will help you stay on top of ongoing security threats and get a relative sense of the overall security level of your system.
Looking for manual testing? Here’s how we can help!
Are you in need of running a thorough review of the security of your systems? With the help of our cybersecurity testing service you can get a complete sense of the vulnerabilities that are present in it.
Thanks to the combination of tests that we conduct when performing such a review, we can approach the problem from several different angles. As a result, you will have a clear sense of the issues at hand, along with all the measures that you need to take.
Would you like to know more about how Amatas can help you? Get in touch with us and let’s discuss your cybersecurity testing needs!