Vulnerability scan and penetration test— what do these terms mean and how do they related in a security assessment? The differences between a scan and pentest are important, but often confused.
So what’s the difference between these security assessments and how do they relate? More importantly, which should you consider when assessing your security posture?
UNDERSTAND THE BASICS
Let’s set the record straight.
|Vulnerability Scan||Penetration Test|
|Refining Definitions…||Also known as a “vulnerability assessment,” vulnerability scanning involves automated tools that scan for systematic vulnerabilities (loopholes) on a system, network, or application.||Also known as a “pentest” or “ethical hacking,” penetration testing is a manual technical test that goes beyond vulnerability scanning. The test identifies vulnerabilities (loopholes) on a system, network, or an application, and subsequently attempts to exploit those vulnerabilities.|
|Common Methodology…||During a vulnerability scan, scan engines (e.g. Nessus, Nexpose) are used to gather meaningful information.
From an attacker perspective, finding a vulnerability is like finding an open-door to a very secure building From a security team perspective, finding a vulnerability provides an opportunity to close that open-door and secure the building.
|During a pentest, a mixture of automated tools and manual exploitation techniques are used by the pentester.
Automated tools (e.g. Nmap) include basic network discovery, vulnerability scan engines (e.g. Nessus, Nexpose), and exploitation frameworks (e.g. Metasploit).
Manual exploitation requires the pentester to gather and interpret the findings from the automated tools to break into a system, a network, or an application. It also involves manual searching for vulnerabilities that automated scanners miss.
|Key Differences…||A vulnerability scan is different from a pentest in that it only discovers known vulnerabilities; it does not attempt to exploit a vulnerability but instead only confirms the possible existence of a vulnerability.||During penetration testing, a pentester will attempt to exploit those vulnerabilities to verify its existence. In the real-world, exploiting vulnerabilities by an attacker could be as simple as stealing contents from a database server, traffic sniffing on an internal network, or compromising a web application.|
SHOULD I CONDUCT A PENETRATION TEST AND/OR A VULNERABILITY SCAN?
The answer to this question depends on several key factors. Questions for you to ask include:
ARE WE REQUIRED TO DO ONE (OR BOTH)?
Certain laws and industry standards often require that pentests and vulnerability scans be conducted on a regular basis. Organizations regulated by PCI DSS, HIPAA, GLBA/FFIEC, and U.S. Federal Security requirements often require annual pentests and/or quarterly vulnerability scanning. It is imperative that organizations understand which laws and standards they must comply to know the type and frequency of such tests and scans.
WE’RE NOT REQUIRED TO DO EITHER; SHOULD WE STILL CONDUCT THEM?
This depends on the type of data your organization is handling. Most consumers and business-to-business (B2B) customers are concerned about the security and privacy of their data, particularly if they use a 3rd party organization for any service. If your organization handles data that is considered personally identifiable information (PII) to a consumer or classified as business confidential in a B2B relationship, regular pentests, and vulnerability scanning should be performed to protect your own organization’s business interests. This is considered an industry best practice.
WE DON’T STORE SENSITIVE CUSTOMER OR B2B DATA, SO HOW IMPORTANT ARE PENETRATION TESTS AND VULNERABILITY SCANS STILL?
Even if sensitive customer data is not handled by your organization, consider your employee data and your business processes. Penetration testing and vulnerability scanning are part of a comprehensive security framework to protect your company assets. If gaps are discovered from a pentest and vulnerability scanning, it allows an organization to protect themselves by acting upon those gaps.
WE JUST FINISHED A PENTEST/VULNERABILITY SCAN; HOW DO WE KNOW IF IT’S “GOOD ENOUGH”?
Most laws and standards will dictate what is “acceptable” on a pentest report or a vulnerability scan. The criteria below are generally considered an industry best practice:
Scan tools rank discovered vulnerabilities based on severity, typically as Critical, High, Medium, Low, and Informational. Critical, High, and Medium vulnerabilities indicate that a system or an application have a much greater risk of being exploited. and allow organizations to prioritize what to patch first if there are no significant business or technological constraints. Ongoing scanning trends should indicate that previously reported Critical, High, and Medium vulnerabilities are remediated promptly — 30 days from discovery is considered best practice — as new vulnerabilities are identified.
The goal of a pentest is to test the organization’s defense capabilities against a simulated attack by finding vulnerabilities and attempting to exploit them. Most pentest reports will rank findings on the same Critical, High, Medium, Low, and Informational scale. However, these rankings should be considered higher priority that those on a vulnerability scan since these vulnerabilities are confirmed by the pentester.
You can also read more in our previous blog post Four Things Every Penetration Test Report Should Have.
WHAT ARE THE RECOMMENDED FREQUENCIES FOR VULNERABILITY SCANNING AND PENTESTS?
Industry best practices recommend that vulnerability scanning is conducted on a quarterly basis. However, critical business assets should be scanned on a monthly basis. Additionally, it is recommended that new systems, devices, or applications that serve as a critical or sensitive component to the organization be scanned before going “live.” This allows an organization to verify that the new technology does not negatively impact the current cybersecurity posture of their environment.
It is recommended that pentests be conducted on an annual or even bi-annual basis. Similar to vulnerability scanning, laws and regulations have defined frequency requirements for organizations to comply. Reports with High or above findings after a pentest should be remediated as soon as possible, and then a retest should be conducted by a pentester to verify closure. It is also recommended that new, critical (or sensitive) systems, devices, or applications be pentested before going “live.” This allows an organization to identify any High findings that a vulnerability scanning may not have otherwise captured.
Remember, pentests and vulnerability scans provide a “point in time” snapshot of your cybersecurity posture. A “do once” mentality is not recommended as the threat landscape and technological environment continues to change.
CAN WE GET BY WITH DOING ONLY A PENETRATION TEST (OR ONLY VULNERABILITY SCAN), BUT NOT BOTH?
An important thing to know is that both pentesting and vulnerability scanning go hand-in-hand; using one method over the other is not recommended, however if you have to make that choice, we recommend a penetration test. Vulnerability scanning identifies basic weaknesses, but pentests take those weaknesses several steps further by trying to identify the likelihood of a successful attack.
The chart below helps distinguish the characteristics and some things to consider:
- Basic identification of systematic weaknesses on systems, devices, or applications.
- Allows security teams to prioritize patches for vulnerabilities that are ranked as Critical, Severe, or High.
- Scans are conducted more frequently and provide faster results on basic weaknesses than a pentest from an initial security perspective.
- Rarely requires significant resources to configure and maintain the tool.
- More robust than vulnerability scanning; it is a deep-drive into the organization’s defense capabilities by simulating real-world cyberattack.
- Attempts to find all types of systematic vulnerabilities and subsequently exploit them.
- Could reveal if an organization has already been compromised or aid in a forensics investigation.
- Helps verify the state and layout of the overall network environment.
- Provides insight into the appropriate defense mechanisms that should be deployed.
- Does not attempt to exploit the vulnerabilities as a pentest would.
- Does not guarantee all systems, devices, or applications are discovered if the scan tool is improperly configured.
- Does not provide “auto patching” to discovered vulnerabilities.
- Interpretation of the vulnerability data can be overwhelming.
- Does not involve the judgment or decision making from a human individual (e.g. risk and cost-benefit analysis).
- Does not guarantee all vulnerabilities will be discovered or successfully exploited.
- Does not guarantee an organization is entirely “secure” if there are no significant findings or findings have been remediated
- Can require significant resources, including time and skillset.
- Legal issues could arise if permission to conduct a pentest is not explicitly given to the tester.
WHERE TO FIND OUT MORE INFORMATION?
Organizations that are serious about cybersecurity efforts should always conduct both regular pentesting and vulnerability scanning. Each test intends to “compliment the other” and provide a more wholistic approach to cybersecurity. Attempting to use an “a la carte” method could leave an organization blind to risks that may have otherwise been captured if both are not used.
If organizations are only looking for something quick and inexpensive, vulnerability scanning will provide this insight. Popular network vulnerability scanning tools include Nessus and Nexpose. Popular web application vulnerability scanning tools include Acunetix and QualysGuard. Some vendors offer both network and web application vulnerability scan tools.
If organizations want to test their defense capabilities and have deeper insight into their network environment, pentests are recommended. Every pentest report will be different due to the various size and scope of an organization. However, a general methodology is always used in order to ensure security best practices. For more information, check out this sample pentest report from Rhino Security Labs.