Note from the Editor: This blog is the third installment of an 8-part blog series entitled, “The Complete Web Application Penetration Test Guide.” To read from the beginning, please go to the blog, “What is a Web Application Penetration Test?“
Knowing the difference between a penetration test and vulnerability scan is critical to optimizing your resources. And, making sure you are taking the necessary steps to reach compliance, secure your network, and determine your level of risk. At a high level: penetration tests are expensive and may be more than your institution needs. Conversely, vulnerability scans, are inexpensive. However, they do not provide the most thorough results. This blog will take a deeper dive into each and highlight the key differences.
Vulnerability Scan
A vulnerability scan is an automated test using an off the shelf software. They will scan across your network for common vulnerabilities. This can be either an external or internal scan, depending on how you have the device configured. The scanner will probe different systems and services across your network against a database of known vulnerabilities. If the scanner determines a system is vulnerable, it will report it and move on.
Vulnerability scans have two major advantages. First, they are cheap. Although there are some free scanners out there, a professional scan will cost you around $1,000 – $4,000 depending on the size of your network. Second, they are automated. This means, once it is configured correctly, you push start and wait for the results. Because of these reasons, many compliance standards require quarterly vulnerability scans. Quarterly vulnerability scans are an excellent way to ensure that your patch management process is working as expected, and your network doesn’t have any vulnerabilities.
Penetration Test
By contrast, a penetration test is expensive. These tests are executed by a highly skilled engineer, or ethical hacker, emulating an attacker trying to hack into your network. The engineer will abide by an agreed upon rules of engagement. Theses will list the scope of the engagement, the target objectives, and the rules he must follow to avoid problems. Similar to a vulnerability scan, penetration tests can be external and/or internal. And highly-customized to meet a wide variety of subsets.
Interestingly, a vulnerability scan is often part of the penetration testing process. Sometimes the engineer will use a vulnerability scan as part of enumerating the network. The penetration test will go much further than just a scan though. Once the engineer completes the scan, they will weed-out false positives by manually verifying the scan.
A vulnerability scan will never exploit a vulnerability. This can lead to many false positives. Additionally, the engineer will demonstrate the risk of each of the vulnerabilities by actively exploiting the vulnerability, and trying to gain access to the network. A penetration test can demonstrate risk far better than a vulnerability scan. This is because vulnerabilities are often combined and exploited in a chain, that demonstrates what an attacker may be able to achieve.
Penetration testing will also check for many things that a vulnerability scan will not. Most of this is due to the fact that it requires manual interaction, some base level of access to identify, or an overview of the network. For example, one of the most critical findings discovered during an internal penetration test is a shared local administrator password. This is often set up for ease of administration. From a risk standpoint though, by sharing the same local administrator password across your network, an attacker who is able to compromise one of your systems can access all systems in your network with that administrator password. It’s no wonder why that would be rated as a critical finding. And, it is often discovered during an internal penetration test not during a vulnerability scan.
Summary
In summary, both vulnerability scans and penetration tests are an important part of a mature information security program. Vulnerability scans are cheaper and automated, meaning you can run them regularly without consuming resources. As a general guideline, your institution should run vulnerability scans once a quarter. And, after any major change to a system or the network. This will allow you to fix any issue that may have fallen through the cracks and ensure your patch management process is working as desired. Vulnerability scans, should not be used instead of penetration testing. Vulnerability scans do not adequately demonstrate risk, are often error prone, and will miss many vulnerabilities, some of which could have dire consequences. As such, conducting penetration testing and vulnerability scans in conjunction is key. Most standards recommend penetration testing annually.
To learn more about these cybersecurity tests and how we can help, please contact us today.
About the Author
Matt is Director of Penetration Testing at SIG. He currently has his PCI QSA, CISSP, OSCP, C|EH, GSEC, GCIH, and CISA certifications. You can find Matt on Twitter @InfoSecMatthew.
