- News & Resources: Listings >
- Blog
- How to Improve Safety and Security in Schools – Cloud Manage Network
- Top 10 Cybersecurity Threats in 2024
- Microsegmentation: Protecting Data from Cyber Threats
- Retail shoplifting and loss prevention: How to protect your business
- Generative AI Cost Optimization Strategies
- Why Do I Need to Protect My Cloud?
- 10 Reasons for Engaging Outside Experts to Manage Your Cybersecurity
- Why Hiring a 3rd Party MSP Expert Makes Sense and – and Cents (MANY cents!)
- Brand and Network Considerations When Adopting AI Corporately
- Integrating XDR, SIEM, and SOAR
- 3-2-1 –Go? Not so quick, this time.
- 5 Things a CISO Shoud Know
- 10-Step Patch Management Checklist
- Penetration Testing vs. Breach Attack Simulation
- Current big cyber breaches and impact on businesses
- Smart Infrastructure Gets Lit Up!
- Securing Industrial IoT: The Missing Puzzle Piece
- 7 Common Cybersecurity Mistakes Made by SMBs
- The Future of Physical Security: Cloud-Based Systems
- Autonomous and Sensor Technology Use Surging
- 2024 Facilities Trends Will Require Facilities and IT Teams to Work in Tandem
- NGFW vs. WAF. What’s the Right Firewall for You?
- Chris Hadfield’s Words To Live By
- Industrial Revolution 4.0 + IIoT
- Digital Fluency Drives Innovation
- Your Cloud Needs Protecting, Too
- Your building alarm systems could become obsolete. In 2024!
- Zero Trust 2.0: Zero Trust Data Resilience (ZTDR)
- We just got, or got used to, Wi-Fi 6. What is Wi-Fi 7?
- What Does the Board Need to Know? Business Metrics that CISOs Should Share – 4th and Last in a Four-Part Series
- Why 2024 is the Year for AI Networking
- International Women’s Day is Tomorrow – Great Time to Think About…
- Data-Centric Security Step One: Classifying Your Data
- The Network – Unsung Hero of Super Bowl LVIII
- What Does the Board Need to Know? Business Metrics that CISOs Should Share – Third in a Four-Part Series
- Boosting IT Team Performance by Fostering Intuition, Curiosity and Creativity
- Breach Remediation Costs Can Wipeout Bottom Line and Business
- Hoodied Hackers Now Favour Hugo Boss
- What Do You Need to Tell the Board? Business Metrics that CISOs Should Share – Second in a Four-Part Series
- How to Get People to Re-Engage After the Holidays
- What Does the Board Need to Know? Business Metrics that CISOs Should Share – First in a Four-Part Series
- Android Devices MUST be Updated + IT Departments Being Cut as Privilege Escalation Escalates
- Today’s Common Cloud Migration and Management Concerns
- Protect Your Healthcare Network from Cyberattack – Lives are at Stake
- Happy Halloween: Black Cats Lead to Boo….Hoo.
- Insurance Underwriters are Protecting Their Flanks
- Insurance Companies Cracking Down as Cybercriminals Become Better Business Builders
- Scary Cyberattacks Stats
- Parents, Profs and IT Professionals Perceive Back-to-School Through Different Lens
- Zscaler’s new IDTR and other tools that leverage generative AI
- Vanquish Vaping, Vandalism and Villainy
- Fabric for Fast-Paced Environments
- Changes to Cyber Insurance Requirements – What you Need to Know
- Cybersecurity Readiness – Newly Released Report
- Passwords Leaked…Again
- 10-Step Patch Management Checklist
- Remote – Again – For Now… and Still Maintaining Engagement
- Protecting Pocketbooks, Passwords and Property from Pilfering
- Raspberry Robin: Highly Evasive Worm Spreads over External Disks
- Cisco Introduces Responsible AI – Enhancing Technology, Transparency and Customer Trust
- Managing Customer Trust in Uncertain Supply Chain Conditions
- Hope on the Horizon
- Toys of Tomorrow… What will spark your imagination? Fuel your imagination?
- Protecting Purses and Digital Wallets
- The Password that Felled the Kingdom + MFA vs 2FA
- The MOE’s RA 3.0 and Zscaler
- 7 Critical Reasons for MS Office 365 Backup
- Penetration Testing Important, but…
- Social Engineering and Poor Patching Responsible for Over 90% of Cybersecurity Problems
- Breach Incidence and Costs On the Rise Again + 5 Ways to Reduce Your Risk
- Cybersecurity Insurance Policies Require Security Audits and Pen Testing
- Wireless strategies for business continuity gain importance as enterprise expand IoT, cloud, and other technologies
- How Cybercrooks are Targeting YOU
- Enabling Digital Transformation with Cisco SD-WAN
- WFH Post Pandemic – What It Will Look Like. What You’ll Need.
- Leaders to looking to the IoT to improve efficiency and resiliency
- Cyber Security Vernacular – Well, some of it, for now
- Why You Need Disaster Recovery, NOT Just Back-Ups
- 10 Reasons Why Having an Expert Manage Your Cybersecurity Makes Sense and Saves Dollars
- Converting CapEx IT Investments into Manageable OpEx
- The Hybrid Workplace – Planning the Next Phase
- Cisco Cloud Calling: Empowering Customers to Thrive with Hybrid Work
- When You Can’t Access the Cloud
- How to Keep On Keeping On
- New Cisco Research Reveals Collaboration, Cloud and Security are IT’s Top Challenges
- Threats from Within on the Rise
- Cloud Covered? If Not, Take Cover!
- Zero Trust and Forrester Wave Report
- Password Based Cyber Attack: Like Leaving Keys Under Doormats
- So, What’s Up With Sensors?
- Sensors and Systems Create a Digital “Last Mile” and Help Skyrocketing Costs
- Scanners Provide Peace of Mind for Returning Students and Workers
- Sensors Improve Operations and Bottom Line… Easily and Cost-Affordably.
- Cisco Meraki Looks at 2021
- 2020 Holiday Shopping: Cybersecurity and Other Tips to Safeguard Wallets and Systems
- How to make the most of the technology you have
- Personnel, Planet and Business Progress: More Interdependent Than Ever Before
- Sure… you can get them all in the boat – but can you get them to work well together?
- Pushing the Zero Trust Envelope – Cisco is Named a Leader in the 2020 Forrester Zero Trust Wave
- Cloud Data Must be Protected, Too!
- Don’t Let Anyone Get the Dirt on You – Make It Instead!
- How IoT Devices Can Help You and Your business
- WebEx – A World of Possibility
- Creating Your Breach Response Plan Now Will Save You Thousands Down The Road
- Been hacked? Here’s what you must do next.
- The Need for Pen Testing is At an All-Time High
- 5 Ways an IT Reseller Improves Your Performance and Peace-of-Mind
- 5G and Wi-Fi 6: Faster, more flexible, and future ready. Are you?
- Network and Data Security for Returning and Remote Workers + Disaster Recovery Symposium
- Collaboration and Cisco WebEx: Protecting Your Data
- Thursday’s Virtual Conference Tackles Today’s Supply Chain Trials and Tribulations
- 10 Tips to Reduce Cloud Storage Risk
- COVID-19 Crisis Fuelling IT Spending
- Supply Chain/Logistics Experts Share Their Expertise
- Cisco Breach Defence Overview
- Announcing Our New Website and Blog
It has been nearly three years since we wrote about the importance of pen testing. Although that information is still good, Cisco’s Jason Maynard, Senior Consulting Systems Engineer Cybersecurity Global Security, presented a paper on the topic at the recent Vancouver International Security and Privacy Summit.
Highlights from that talk can be found in Jason Maynard’s Canadian Bacon Series: Penetration Testing vs. Breach Attack Simulation, which we have included here, with permission:
“Building a Defensible Security Architecture
Recently, during my session at Vancouver International Security and Privacy Summit, I focused on building a resilient defensible architecture while elevating our defensive capabilities. One question that came up was, “What is the difference between Penetration Testing and Breach Attack Simulation?”
Well, both have a ton of value although and during the session I focused on Breach Attack Simulation (BAS) as a continuous proactive approach when evaluating your overall security capabilities. That said, lets break this down to highlight the differences between the two and of note one does not replace the other.
Methodology
Penetration Testing: Usually, a manual process where the penetration tester will simulate cyberattacks to identify weaknesses in your overall security posture. This will includes identifying vulnerabilities (weaknesses) in systems, networks, applications, and even people. Skilled professionals will test a variety of opportunities that the adversary will take advantage of such as social engineering, physical security breaches, and application-level attacks. This tends to be done once or twice a year and is typically point in time. Penetration testing provides a ton of value but becomes stale the moment it is complete.
Breach Attack Simulation: BAS tends to be an automated process that leverages software (agents) to simulate a wide range of attacks to identify potential weaknesses in your security posture. These tests help to identify potential vulnerabilities and gaps in overall coverage both prevention and detection. Tests tend to run continuously or at scheduled intervals and helps the organization stay ahead of the adversary.
Scope and Focus
Penetration Testing: Penetration testing tends to be more targeted and focuses on specific systems or applications and can be performed with or without the defender’s knowledge. Penetration testers might be looking for vulnerabilities in new software / service ideally before the service goes to live and is accessible. These tests tend to be very point and time.
Breach Attack Simulation: BAS tends to be broader in scope and aims to simulate real-world attack vectors on a continuous basis across a larger portion of the organization’s environment. This helps in identifying systemic weaknesses including items such as changes that introduce deficiencies in one’s controls over time.
Objective and Results
Penetration Testing: Pen Testers mission is to discover high risk gaps such as vulnerabilities that can be exploited. The goal is to demonstrate how they might be leveraged by an attacker. The exercise provides a detailed report describing the findings and provides remediation advice such as patching or virtual patching a system to remove the risk.
Breach Attack Simulation: BAS goal is to scrutinize one’s security controls on a constant basis. This provides deep insight into the organization’s defensive posture on an ongoing basis which allows for a more of an immediate adjustment to one’s defensive capabilities reducing risk continuously and consistently.
Frequency
Penetration Testing: As mentioned, this is typically performed annually and even biannually. Organizations tend to contract a third party which are highly specialized teams providing external perspective of the current posture in place.
Breach Attack Simulation: BAS runs on a constant basis with higher frequency, such as daily or weekly. BAS being automated doesn’t require the same level of human effort that is required with pen testing. Teams become more agile when testing and can test against the latest threats or tactics driving a prescriptive based outcome to improve defenses.
Complexity and Detail
Penetration Testing: Higher in complexity but may be more comprehensive exercise that can be tailored to the organization’s specific needs. This requires highly skilled professionals that can mimic the adversary in both sophistication and ability.
Breach Attack Simulation: BAS may not cover the same level of complexity and creativity augmented by human intelligence found in pen testing but does provide an effective way to reduce risk on a continuous basis.
Cost
Penetration Testing: Pen Testers do come with a cost due to the specific nuance they address and the skills they provide during the exercise. This is why pen testing is performed once or twice a year.
Breach Attack Simulation: BAS does come with a cost but once installed they tend to lower overall operational costs due to automation. BAS also provides continuous improvement in your overall security posture.
Customization
Penetration Testing: Extremely customizable to meet he needs of the organization. Pen testers can be very sophisticated, agile, and creative providing highly valuable results that may get missed with BAS testing alone.
Breach Attack Simulation: BAS does provide a level of customization but tend to be less customizable in comparison as our human-led pen testers.
Pen Testing and Breach Attack Simulation help improve one’s overall security posture and overall cyber resilience while helping reduce the blast radius. Its not one or the other but a combination of both strategies that can provide a more comprehensive view of your ability to defend (prevent or detect)
Remember, although we want to prevent 100% of bad 100% of the time it’s a loosing battle. Assume breach and build a defensive architecture that allows the business to maintain operations regardless of whether a breach occurs. Detection is key and a minimum in everything defenders do.”
Cloud Managed Networks can offer penetration testing, security solutions for your physical premises, cloud, edge, and points – and we can provide cybersecurity as a managed service, too.
To learn more, please contact us: [email protected], or call 1.877.238.9944.