3. Compare types of cyber security testing (AC 1.3)

Pen Testing Pros: It can find a wide range of weaknesses in the devices, systems or networks. Even a seemingly insignificant flaw can lead to catastrophic results and a pen test will spot them. This kind of test gives specific advice on how to fix the issues. Cons: If not done properly, the test itself can cause problem in the system, the pentesters could accidentally break something. You also have to trust the testers as this test leaves you in a vulnerable position. The test has to be done in a real-world conditions, otherwise the results might be misleading and or completely useless. Red team testing Pros: This kind of test is great when you want to test your whole IT team or Security Operations Team(SOC) It will test how well they react to simulated real-world attack. It's mainly intended for larger companies that need to know how their team would handle a serious attack. It will give the organisation an idea of what a real attack would be like. Cons: It can be very expensive and it won't reveal all security flaws. Vulnerability scanning Pros: Regular scans helps you understand how strong your security is. It's a cost-effective way of continually checking for problems. By keeping your system free of vulnerabilities you avoid paying hefty fines, should your database be hacked and data leaked, for breaking the data protection act. It's also very quick at highlighting any problems that might've been missed in the past. Cons: You won't find every issue, and sometimes the scans may mistakenly flag something as a problem that isn't actually an issue (False positive) Social Engineering testing Pros: This kind of testing prepares your business for attacks that target people, which are very common. It also helps train employees to avoid falling for social engineering tricks Cons: It only tests the people, so won't find any technical vulnerabilities. And because the bad actors are always coming up with new ways to trick people, the test might become outdated quickly.