Vulnerability scans and penetration tests are assessment methods that an organization would use to identify any network, computer system and application control weaknesses that should be mitigated.
How can you know what the benefits are and why your company would need a vulnerability scan or penetration test? It’s a complex topic. That’s why we’ve boiled down the basics of what they are, how they work, why companies need them and what they do to protect businesses’ data.
Terms to Know
Before we consider the differences between a vulnerability scan and a penetration test, or why an organization would need one, let’s consider some fundamental terminology.
Risk is defined as the potential for damage, destruction or loss to an asset from a threat, which exploits a vulnerability (i.e., weakness in protection efforts). The goal of any cybersecurity program is to understand, manage and limit risk to mission-critical assets. Once threats to the organization’s assets are identified, protection controls can be put in place to minimize those risks to acceptable levels.
Risks are mitigated through a set of controls that are defined and implemented by a company according to its strategic, budgetary and operational priorities. Once selected, the organization’s set of management, operational and technical security controls should be routinely assessed to determine if the controls are implemented correctly, operating as intended and producing the desired results.
Now that you know the basics of risks, threats, vulnerabilities and controls, let’s dive into the differences between vulnerability scanning and penetration testing.
What is the Difference Between a Vulnerability Scan and a Penetration Test?
Vulnerability and penetration testing tools are valuable components of an organization’s layered information technology (IT) security defenses. They are critical for assessing patch and configuration management and for compliance with certain cybersecurity standards like HIPAA, PCI and SOC. Although the terms vulnerability scan and penetration test are sometimes confused and used interchangeably, there are key differences.
“Vulnerability assessment” generally refers to the use of software to scan networks for known weaknesses. These vulnerabilities may be related to errors in software code or in configuration settings, which an attacker could exploit. Vulnerability scanning is an automated process.
Penetration testing (also known as “pen testing”), is a specifically targeted ethical hacking exercise in which a certified professional attempts to identify and then exploit vulnerabilities on a network, computer system or web application. Penetration testing is not an automated process, but requires a qualified expert using numerous software tools for discovery and exploit testing of enumerated vulnerabilities.
While both have internal and external applicability, vulnerability scans are most often performed within the network, while penetration testing attempts to circumvent controls from outside the network, mimicking an external attacker.
Below, we have outlined both vulnerability scanning and penetration testing, their unique factors and what sets each apart from the other.
What is Vulnerability Scanning?
Vulnerability scanners are commercially licensed software tools that are configured to run automated scans of one or more devices on a network segment. Vulnerability scanning is used to detect and provide remediation guidance on “known” software and hardware vulnerabilities, those which have been publicly documented.
How do vulnerability scanners work?
Scanners reference a continuously updated database of Common Vulnerabilities and Exposures (CVE), which tracks publicly-known problems and information security vulnerabilities. Matches are reported by severity-level ranking based on a Common Vulnerability Scoring System (CVSS) in order to prioritize remediation efforts (e.g., Critical, High/Severe, Moderate/Medium, Low and Informational).
Security component weaknesses (e.g., outdated ciphers), and systems missing from patch management or with a historic update that failed to install, are detected by vulnerability scanning.
What is the scope of vulnerability scanning?
Vulnerability scanning can either be acquired from a service provider or purchased for internal use. Commercial licensing for vulnerability scanners is typically based on the number of devices to be scanned. Supported devices include routers, firewalls, switches, servers, storage, printers, workstations, operating systems and applications. Commercial product examples include Acunetix, IP360, Nessus, QualysGuard, Rapid 7 and Retina. See OWASP (Open Web Application Security Project) for a larger list of network and web application scanning tools.
The National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) publish security benchmarks, which are industry recognized as best practices and can be referenced by vulnerability scanning. CIS hardened images are now available for leading Cloud platforms like Microsoft Azure. For information on baselines, see CIS Benchmarks and NIST NVD.
Why do companies use vulnerability scanners?
Vulnerability scanning reports provide IT personnel and management with actionable intelligence and remediation guidance. They provide critical feedback for correcting configuration errors and maintaining established security baselines, and these reports are essential for assessing the effectiveness of patch management solutions.
Scanning solutions can be automated and configured for compliance baseline reporting.
The majority of known vulnerabilities are mitigated by patching or upgrading software, or by correcting misconfigurations. Also, most patches mitigate multiple vulnerabilities. Those vulnerabilities subject to published exploits and malware kits will be noted in scanning reports for prioritizing remediations.
How often should companies have a vulnerability scan?
Software is constantly changing with patches and updates, so weekly scanning is recommended for companies that can afford to implement a scanning solution. However, all companies should have a vulnerability scan quarterly at a minimum for attestation purposes.
What is Penetration Testing?
Penetration testing mimics real-world attack methods to identify areas of weakness that could be exploited. It investigates the safeguards protecting networks, systems and applications, testing vulnerabilities susceptible to attack, to be sure controls have been implemented and are working effectively.
How does penetration testing work?
Penetration testing is not an automated process, though certain tools, like Metasploit, have been developed with automated penetration testing capabilities. Penetration testing requires an ethical hacker with qualified expertise to identify, enumerate and execute targeted exploits. Ethical hackers utilize many tools, including vulnerability scanners, during the progressive stages of penetration testing.
Penetration testing strategies are referred to as either whitebox, graybox or blackbox testing.
- Whitebox testing occurs when the tester knows everything about the target, and is provided with diagrams and architectural details of the network, system or program.
- Blackbox testing occurs when the tester has no knowledge of the target, except what is publicly available, (e.g., sometimes given only an IP address or range).
- Graybox testing is used to examine what is possible with insider access.
- Outside testing is conducted remotely and examines what a hacker or outsider can access or do.
- Inside testing is conducted locally, or with remote access, and examines what an employee or insider can access or do.
The stages of penetration testing defined by NIST SP 800-115 are:
- Planning (scope, limits, boundaries);
- Passive – covert information gathering and reconnaissance activities
- Active – efforts involving scanning of networks to enumerate hosts, and further scanning of hosts and applications
- Vulnerabilities enumerated – targeting the candidates to be exploited
- Attack – the ethical hacker initiates the steps, tools and scripts intended to exploit targeted vulnerabilities, in order to gain access, escalate privilege, browse the system and expand the degree of control.
- Reporting – Documentation compiled during each step of the test should be used to compile the final report of findings, which should serve as the basis for corrective action. Corrective action can vary from as little as enforcing existing policies to firewall changes or server upgrades.
What is the scope of a penetration test?
Penetration testing requires a Rules of Engagement agreement to be executed, which defines the testing scope and timeline, and serves as the tester’s get-out-of-jail card. Appropriate intermediaries must then be alerted before testing commences, (e.g., telecom and datacom, internet service providers, cloud service providers, etc.).
While ethical hackers may utilize unpublished exploits, they normally don’t develop them, and tests usually aren’t exhaustive in nature. The amount of testing to be performed must be defined in a scope document and will often stop upon successfully penetrating the target, rather than attempting all possible exploits. A testing scope that limits the attack phase to two weeks is not uncommon, and testing can even be limited to specific functions of a single application. External testing will normally target a range of firewall connected public IP addresses, with concentrated testing on selected addresses (e.g., email server, web server, VPN, etc.). The scope should target important assets and areas of greater risk, while also considering cost and time (i.e., testing restrictions and limits).
Where do companies use penetration testing?
Annual penetration testing is most often performed externally against internet-facing network and web application assets to identify weaknesses. Testing should also be conducted internally to assess network segmentation and least privilege access restrictions. Further, testing may be expanded to include denial of service (DoS), wireless network, social engineering, telephony and physical security attacks.
Service interruptions caused by testing are rare, but provide valuable insight when they occur. Since testing can cause a service interruption, the timing of certain tests should be coordinated to minimize the impact of such an occurrence.
How often should companies have a penetration test?
Companies should have a penetration test annually at a minimum for attestation purposes. More frequent testing is warranted when changes have been introduced to the network, such as the deployment of new infrastructure, firewall rules, software or firmware.
How do I know which one my company needs?
It’s really not a question of which one is needed, but how often you need either (at least once a year for penetration testing and at least quarterly for vulnerability scanning at minimum). Due care involves the use of both of these auditing controls and will help to limit the company’s susceptibility to a breach from malware, ransomware attack or an internal user.
Attackers are constantly probing your network, whether you do or not. Also, insider threats account for two-thirds of all breaches of protected information (e.g., credit card, health, and personal data), and most of those are accidental and preventable.
It’s important to scan and test your external infrastructure and internet-facing applications to guard against external threats. Scan and test your internal network and applications to guard against insider threats. Audit, using both of these functions, to ensure the company’s controls are correctly in place, and to ensure network segments are properly isolated and patches are up to date.
How can I learn more?
If you would like more information on business processes, information security, vulnerability scanning or penetration testing, please feel free to contact us today.
NIST’s Technical Guide to Information Security Testing and Assessment can be found here.