Vulnerability Scanning and Penetration Testing - same thing, right?

Unless cyber security is your key focus, you can be forgiven for assuming vulnerability scanning and penetration testing as the same service, with similar output. They can be considered as two sides of the same coin, but there are key differences. Both have the same overall goal, to maintain a strong security posture and are called out as requirements in major industry and geopolitical regulatory frameworks such as PCI, HIPAA, and ISO 27001. However, each requires a different approach and tooling, and each provides different benefits and outputs.

What is vulnerability scanning?

Vulnerability scanning is a service that scans computers, systems, and networks for known security weaknesses, known as vulnerabilities. These can be unpatched operating systems or applications, misconfigurations, or usage of unsafe, retired protocols. Scans should be automated and run on a scheduled basis with frequency dependent on business needs, but at least once a month. Output is presented as a report that leverages CVSS (Common Vulnerability Scoring System) to provide a risk-based criticality score, often using traffic light marking to group discovered vulnerabilities in Critical, High, Medium, Low, and Informational sets. It helps to prioritise which weaknesses should be dealt with first. The report should also highlight what has changed since the last scan.

Benefits:

• Value for money - for a modest price, organisations receive an automated service that identifies vulnerabilities within hours, requiring minimal maintenance
• Easy to deploy - most services simply require an appliance to be deployed within the company network, some also provide an OS agent option
• Can be run at any time, with no impact on live services

Limitations:

•  False positives may occur
•  Most services do not provide any indication as to whether discovered vulnerabilities are exploitable
•  No automated fix included, therefore patching or misconfiguration changes require a manual intervention or a separate tool

What is penetration testing?

Penetration testing is a service that simulates a hacking attempt to gain access into a business system or application, using deep knowledge of cyber security, existing vulnerabilities, and a set of sophisticated tools. Testing is performed by a skilled operator – known as an ethical hacker. The objective is to discover weakness in the target system and to exploit it to gain access inside company services to establish what further steps can be taken. The scope of the penetration testing is usually narrow, quite often down to a specific application, asset, or service.

The aim of the test is to provide a detailed report on all target vulnerabilities, including exploits and fixes. All new public services should be tested before going live and re-tested after every major change or at least once a year. Existing internet-facing services should be assessed at least once a year as well as after each major change.

Benefits:

•  Accurate information on service exploitable vulnerabilities with no false positives
•  Details on what data can be compromised
• Guide on how to remediate discovered weaknesses

Limitations:

• Can be expensive due to the required knowledge and tooling and time
•  Rarely viable to test all services and applications in one go due to the cost
•  Testing can take days or weeks (depending on the scope)
•  Testing can cause issues/outages of tested services and network devices

Summary

To conclude, vulnerability scanning can be compared to an analysis of how secure your house is, for example if any doors and windows (ingress points) are unlocked or easy to force open. Penetration testing takes several steps further, whereby a professional will attempt to break and enter the house, establish the value of the contents and how to remove (exfiltrate) them.