We’ve noticed quite a few folks using the terms vulnerability scan and penetration test interchangeably. While both tools are an integral part of any organization’s security process, they are not the same. In an effort to eliminate confusion, let’s clarify the differences between vulnerability assessments and penetration tests (pen test). Before we get into the comparison, let’s first review what a “vulnerability” is.
What is a vulnerability?
A vulnerability is a weakness or ‘hole’ in a computer system, that the developer did not intend to create, which may allow an attacker to gain unauthorized access to the system. Vulnerabilities, if left unfixed, provide an opportunity for an outsider to exploit the system, alter performance, or steal data. Some examples of vulnerabilities include Heartbleed, Microsoft, Flash, or Java zero-day flaws and the POODLE vulnerability.
The United Stated Department of Homeland Security helps maintain a catalog of publicly known security vulnerabilities, otherwise referred to as CVEs, or Common Vulnerabilities and Exposures. While it’s nearly impossible to know how many vulnerabilities or CVEs exist today, according to the 2015 Verizon Data Breach Investigation Report has confirm over 7 million known vulnerabilities between 2004 – 2014.
A vulnerability scan is an automated, in-depth test that looks for known vulnerabilities in your systems. Once it identifies weaknesses, it then ranks how critical they are in terms of how likely they are to be exploited. A good scan can search for approximately 50,000 vulnerabilities. Vulnerability scans should be ran routinely, either monthly or quarterly, depending on your network. This way, you can be alerted when an unauthorized change has been made or when new vulnerabilities are discovered, which happens every day.
Some vendors offer monthly vulnerability management programs, which is a cost-effective way to keep your finger on the pulse of your environment. Organizations that insist on only running scans once per year run a much greater risk of being exploited as new vulnerabilities can remain open for up to a year.
A penetration test is a live attempt to hack your network through open vulnerabilities and gain access to sensitive data. The tester first runs a full scan of your internal and external network. Once all potential vulnerabilities have been discovered, they attempt to hack your domain from one of those exploits. The penetration test is rounded off with a full report of all vulnerabilities, how to fix them, and what systems were accessed without permission. This provides you with a “snapshot in time” of your security posture and allows a firm to recapitulate its security services around its evolving needs. Depending on the scope, a pen test may also include physical security testing or social engineering attacks, designed to test the security of your office and the knowledge and actions of end-users.
A penetration test should be performed annually. And unlike vulnerability scanning, which can be performed by your outsourced IT provider, a pen test should be performed by an independent third party.
|Vulnerability Scan||Penetration Test|
|Overall||An automated scan to find all known vulnerabilities in a network||An in-depth examination of known vulnerabilities and an actual attempt to (ethically) exploit the vulnerabilities|
|Process||Automated||Manual, live examination|
|Duration||Usually takes less than an hour||Can take anywhere from 1 day to 3 weeks depending on scope|
|Recommended frequency||Should be performed monthly and after new equipment is installed||Should be performed annually or bi-annually|
|Performed by||Can be performed by in house staff or your IT provider||Should be performed by an independent auditor|
|Helps maintain compliance with||HIPPA, PCI, SOC, ISO, NIST||HIPPA, PCI, SOC, ISO, NIST|
|Cost||Low – Moderate||Moderate – High|
|Deliverable||A report listing all vulnerabilities found in order of severity and risk. Some may provide recommendations for remediation.||An in-depth report explaining the method of attack, results, and recommendations for remediation.|
Which is best for your organization?
Most organizations should start with a vulnerability assessment, resolve potential issues to the best of their ability, and then have a pen test performed. Once the network has been secured to the satisfaction of both parties, then vulnerability scans should be run regularly and as new equipment is added. Together, these tools will go a long way to improving your security posture and preparedness.