Penetration testing and vulnerability scans are required more and more often. Whether part of an internal effort to ensure compliance with standards such as HIPAA, PCI, SOC, NIST, and ISO27001, or as a requirement by a client or potential client as specified in a contract, your organization may be called upon to conduct vulnerability scans and penetration tests. Both have to do with looking for security weaknesses in a computer system or network. Finding and addressing such weaknesses is an important part of providing solid information security as well as addressing contractual obligations.
If you find yourself in this position you may first wonder – are they the same? What makes a vulnerability scan different from a penetration test? Do I need both? Here we will clarify the differences between these two activities, so your business, agency, or organization can better determine what sort of product and services are needed.
Vulnerability scans are an automated scan that examines an organization’s systems for “known” vulnerabilities in its operating system and installed software. Vulnerabilities “known” in this context are those which have been discovered in the wider world. They may or may not be present in your environment, and while they may not appear today, after something changes or as new ones are discovered, they may appear in a future scan. For example, if FTP software is installed after the latest scan, then the next vulnerability scan will list any vulnerabilities found in the FTP software. A vulnerability scan generates a report listing what vulnerabilities were found and a criticality rating for each. The report serves as a blueprint for system and network administrators to start addressing any found vulnerabilities. Vulnerability scans should be run on a regular basis, preferably once a month. Consistent scanning enables an organization to see any new vulnerabilities that may have appeared as well as providing verification of successfully addressing prior vulnerabilities, for example as security patches are applied. Consistent scanning also brings to light any new vulnerability such as might be caused by an unintended consequence of a configuration change.
Penetration testing, in contrast, is an activity in which a person (not automation) attempts various techniques to actually “penetrate” a system. That is, to play the role of a malicious actor and actually exploit weaknesses that may or may not be “known” and may or may not be revealed by an automated vulnerability scan. Vulnerability scanning can provide the penetration tester with information useful to the attempt, so scanning can be part of the penetration test, but the penetration test is a much more comprehensive test of an organization’s security. If a vulnerability scan reports on possible weaknesses in an organization, a penetration test actively exploits those weaknesses and attempts to perform actions that a malicious actor might, such as harvesting user and administrator credentials.
The end product of a penetration test is a report detailing the methodology used, weaknesses found, data compromised, and guidance on how weaknesses might be addressed. Because they are comprehensive, time consuming and labor intensive, penetration tests are usually run less frequently than vulnerability scans – perhaps once or twice annually.
Vulnerability scans and penetration testing do have similarities, and they both have a role to play in information security. The largest difference is that a vulnerability scan is meant to report potential weaknesses for an organization to fix; while a penetration test demonstrates the existence of weaknesses and the potential damage that could be caused. Most penetration tests will contain a vulnerability scan as part of their process, but no vulnerability scan ever qualifies as a penetration test.
If you are among the increasing number of organizations looking to utilize penetration testing and vulnerability scanning, your first question may well be how they are different. We hope to have helped clarify the differences in this article and give you a better understanding of how to use them to meet your objectives. Another set of questions arise when contemplating the multitude of options available for penetration testing. In our next post we will be exploring the different types of penetration tests and how your goals and objectives drive the process.