vulnerability scan vs pen testing

The difference between a penetration test and a vulnerability scan

May 19th, 2021 Posted in Information Security

Finding, understanding and remediating security vulnerabilities is essential for a mature cyber security posture and strong cyber resilience. Whenever a big-name organisation suffers a security breach, you will commonly see them refer to themselves as being the victim of a ‘sophisticated cyber-attack’.

In truth, the initial foothold gained by their attacker often comes from exploitation of a known vulnerability the victim organisation could have remediated. This is why strategies like vulnerability scans and penetration tests are so important in business.

At a high level, both services aim to discover potential weaknesses that can be exploited by cyber threat actors – such as missed security patches, misconfigurations, and missing updates on company servers, computers and other devices. Identifying and fixing these vulnerabilities requires a systematic and detailed programme of identification and remediation. It’s not the most exciting task, but it is critical. A good vulnerability management process should consist of a combination of systematic scanning, using automated tooling, and regular manual penetration testing and prioritised remediation.

The vulnerability management process should enable organisations to know what vulnerabilities are present within their IT estate, where they are carrying risk, and when vulnerabilities will be fixed. Executive staff should be as aware of the major vulnerabilities in their organisation as they are of their financial status.

Penetration testing and vulnerability scanning are often confused, however, and some organisations rely solely on scanning and think that is sufficient, whereas others carry out an annual penetration test and consider that sufficient. Misunderstanding these services can lead to security gaps. This, in turn, increases the risk of a data breach, so it’s crucial to understand the differences.

One way to think of the difference between a penetration test and a vulnerability scan is to imagine an intruder trying to break into your home. They may walk past your house, looking for open doors and windows that offer easy access. This is like vulnerability scanning: it’s quick, simple to do, and focuses on obvious weaknesses.

A more determined intruder could walk up to your house, push against locked doors and windows to check for access, and then go a step further to gain entry. For example, they may pick a lock with different tools until they get in, and then see where this access point takes them. This is like penetration testing because it is more detailed, more in-depth, and accesses areas that you may have thought were safe.

Let’s take a further look below.

Vulnerability Scan 101

Definition:  A vulnerability scan is an automated process to proactively identify security weaknesses in a network or individual system. Vulnerability assessments are usually performed with a commercial scanning tool such as Nessus or Qualys or with an open-source equivalent such as OpenVAS.  Because the search is done without human intervention, these scans can be quick and vast. Once complete, the tool creates a list of security flaws for the IT team to remediate. These are typically prioritised based on the CVSS 3.1 vulnerability scoring methodology, which helps to prioritise the remediation work required. The list of vulnerabilities is typically very long, as it includes every possible or potential issue identified without human verification.

Benefits

  • Important for compliance: Regular vulnerability assessment and management is considered a foundational security control. A personal data breach caused by the exploitation of a vulnerability that could have been picked up and prevented through scanning is, for example, likely to be a breach of Article 32 of the General Data Protection Regulation (“GDPR”). Likewise, Payment Card Industry Data Security Standard (“PCI DSS”) compliance requires quarterly scanning of the Cardholder Data Environment.
  • Reduces risk: External infrastructure is constantly being scanned and probed by attackers to try and find a foothold, and new vulnerabilities are being discovered all the time. Once inside your network, attackers will seek to exploit vulnerabilities to move from their entry point to access your most sensitive data. By regularly checking the health of networks and services, they help companies find and fix weaknesses before cyber threat actors take advantage of them.
  • Quick and repeatable: Automation requires little human intervention and works at high speed. It’s therefore easy to incorporate these tools into the business and run regular scans.

Shortcomings

  • False positives: The speed of the service means that velocity sometimes trumps accuracy. Scans can produce lengthy reports for IT staff to go through, only to find that many of the red flags are, in fact, false positives. The scanning is the fast part, validating the vulnerabilities that apply, prioritising them and fixing them takes longer. To understand the likelihood of a vulnerability being exploited, you’ll need a human who knows your environment to review the vulnerability in the context of your organisation. This can be slow and require specialist security knowledge.
  • Unfound vulnerabilities: It’s unlikely a scan will find every weakness. This may be because the vulnerability is too complex or newly discovered. Regardless, unknown vulnerabilities leave businesses open to exploitation. Plus, a scanner also doesn’t apply heuristic thinking. Sometimes attackers will use a combination of vulnerabilities which, together, make the risk much higher than when viewed in isolation.
  • Generic remediation guidance: Once the list of vulnerabilities is received, it will typically come with generic remediation information that the organisation will need to validate and then work out how to apply in the context of their systems.

Penetration Testing 101

Definition: A penetration test is a live test of the effectiveness of security defences through mimicking the actions of real-life attackers.  It’s often referred to as “ethical hacking” because the penetration tester essentially simulates the techniques and tactics used by cyber attackers.

Penetration testing is carried out using a combination of automated and manual techniques. Tests typically start with reconnaissance, whereby the tester searches for open-source intelligence about the target organisation and users to use during the testing, as an attacker would. The tester will then scan the target systems and apps using a combination of tools.

These tools will include vulnerability scanners, but the results from the scans are used to identify potential vulnerabilities to be manually tested using various techniques. Even though penetration testing utilises scanning, the testing goes above and beyond vulnerability scanning, by applying real-world, manual tactics that cyber attackers could use to compromise security.

Once the test is complete, the pen-testers provide a detailed report of the vulnerabilities found, including advice on how to make the business safer. They prioritise their advice based on the potential severity of the issues identified, typically by reference to CVSS 3.1 and their own real-world experience.

For a deep dive into penetration testing, read our Guide here.

Benefits

  • Validation: In comparison to vulnerability scans, penetration tests are much more meticulous and in-depth. They provide assurance and validation that defences are resilient, that identified vulnerabilities are applicable and provide actionable guidance on steps required to fix the problems.
  • Reduces the likelihood of a data breach: In discovering weaknesses and advising on how to fix them, they significantly reduce the likelihood of a harmful cyber-attack by providing organisations with the information they need to remediate the issues and/or manage the risks.
  • Important for compliance: We noted article 32 of the GDPR above. This makes pen-testing an important part of an organisation’s compliance activities. Likewise, penetration testing is an expectation within PCI DSS.
  • Fulfils supply chain obligations: More and more supplier contracts are mandating annual pen-testing of systems to ensure the entire supply chain is secure. Copies of penetration testing reports are increasingly being requested during supplier due diligence exercises as well.

Shortcomings

  • Finding a provider you trust: Penetration testing invites a third-party to find flaws in your systems. It’s therefore essential to find a supplier you have confidence in, and whose pen-testers are certified.
  • Time-consuming: The manual nature of pen-testing means it takes longer than a vulnerability scan. However, the length and intensity of the activity directly relates to the validation of the output.

What does your organisation need?

The answer is both. Because vulnerability scans are quick and automated, they are a useful tool for regular cyber security health check-ups. However, they don’t offer the depth and assurance of pen-testing.

To confidently protect your business, both services should be used in tandem. Vulnerability scans are a good maintenance procedure and should be carried out once a month. A penetration test should be conducted at least annually.

Finally, it’s important to note that vulnerability scans and penetration tests are not an end in themselves, but a way to identify flaws that then need to be remediated. This is known as vulnerability management. We advise organisations start this process by fixing weaknesses that are most urgent – for example, those that are accessible to a large number of potential attackers, and/or which will have the largest impact if exploited. Learn more about when you might need a penetration test here. It’s important to remember some key points when choosing a pen testing partner. One of these key factors to research is qualifications – you should be looking for a company that has cyber essentials certificates.

Need help?

If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions, remediations and vulnerability management from our findings. Contact us for a friendly chat.

AH Headshot 250x250

Written by Alex Harper

Alex is a senior security consultant, specialising in security testing of IT infrastructure, web applications and mobile applications. He started his career as a software developer before moving into ethical hacking and security consulting. His qualifications include Cyber Scheme Team Leader (CSTL), Offensive Security Certified Professional (OSCP) and Qualified Security Team Member (QTSM).