Penetration Testing vs. Vulnerability Scanning
- James Thomas
- Mar 24, 2023
- 2 min read
When people misunderstand the differences between penetration testing and vulnerability scans, they are often missing a vital component in their overall network security profile and both are crucial for cybercrime prevention.
Vulnerability scans and vulnerability assessments search systems for known vulnerabilities. A penetration test attempts to actively exploit weaknesses in an environment. While a vulnerability scan can be automated, a penetration test requires various levels of expertise.
Regular vulnerability scanning is necessary for maintaining information security Sentinel analysts have observed some clients performing vulnerability scans weekly and others not performing these vital scans at all. We always recommend scanning every new piece of equipment before it is deployed and at least quarterly afterwards. Any changes to the equipment should immediately be followed by another vulnerability scan. The scan will detect issues such as missing patches and outdated protocols, certificates, and services.
Organizations should maintain baseline reports on key equipment and should investigate changes in open ports or added services. A vulnerability scanner (e.g., Nessus, GFI LANGuard, Rapid7, Retina, Qualys) can alert network defenders when unauthorized changes are made to the environment. Reconciling detected changes against change-control records can help determine if the change was authorized or if there is a problem such as a malware infection or a staff member violating change-control policies.
Penetration testing is quite different, as it attempts to identify insecure business processes, lax security settings, or other weaknesses that a threat actor could exploit. Transmission of unencrypted passwords, password reuse, and forgotten databases storing valid user credentials are examples of issues that can be discovered by a penetration test. Penetration tests do not need to be conducted as often as vulnerability scans but should be repeated on a regular basis, at least once per year. With the incredible amount of new vulnerabilities and attacks that are released every month, Sentinel recommends conducting a pen test every 6 months.
Penetration tests are best conducted by a third-party vendor rather than internal staff to provide an objective view of the network environment and avoid conflicts of interest. Various tools are used in a penetration test, but the effectiveness of this type of test relies on the tester. The tester should have a breadth and depth of experience in information technology, preferably in the organization’s area of business; an ability to think abstractly and attempt to anticipate threat actor behaviors; the focus to be thorough and comprehensive; and a willingness to show how and why an organization’s environment could be compromised.
A penetration test report should be short and to the point. It can have appendices listing specific details, but the main body of the report should focus on what data was compromised and how. To be useful for the customer, the report should describe the actual method of attack and exploit, the value of the exploited data, the associated risk, and detailed recommendations for improving the organization’s security posture.
| Vulnerability Scan | Penetration Test |
Frequency | At least quarterly, especially after new equipment is loaded or the network undergoes significant changes | Once or twice a year, as well as anytime the network undergoes major changes, or if new applications are introduced |
Reporting | Provides a comprehensive baseline of what vulnerabilities exist and what changed since the last report | Detailed narrative-style report with specific findings, a detailed remediation roadmap, guidance on specific issues, and an executive summary |
Focus | Identifies and lists known software vulnerabilities that could be exploited | Thorough process that discovers unknown and exploitable weaknesses in normal business processes, systems, and applications. Attempts to identify any issue a legitimate hacker could exploit. |
Performed by | Typically conducted by in-house staff using authenticated credentials; does not require a high skill level | Best to use an independent outside service and alternate between two or three; requires a great deal of skill |
Value | Very useful as a routine operation to bolster ongoing patch management processes and ensure systems are protected from known vulnerabilities | Gives an organization insight into where processes may be failing, what large-scale upgrades or network changes should taken place, and provides you with a viewpoint of what an attacker can see/take advantage of |
Vulnerability scanning and penetration testing are both critical to a comprehensive security strategy. They are powerful tools to monitor and improve an organization’s network environment, and should be utilized as part of your organization's overarching Information Security Program.
Comments