One of the biggest sources of confusion in the world of internet security is the difference between a vulnerability scan and a penetration test, also referred to as a pen test. This confusion has led to many businesses being sold a vulnerability scan under the guise of a pen test – putting their security system …
One of the biggest sources of confusion in the world of internet security is the difference between a vulnerability scan and a penetration test, also referred to as a pen test. This confusion has led to many businesses being sold a vulnerability scan under the guise of a pen test – putting their security system at risk in the process.
Internet security is as important as ever, especially with the recent bouts of ransomware attacks that have been widely reported in the media. Due to this, and the ongoing security of your business, it is incredibly important to know the difference between a vulnerability scan and a pen test – two very essential components of comprehensive business security.
A vulnerability scan is designed to search for potential vulnerabilities within your business system; normally using a standard off-the-shelf piece of software. The scan targets one or more IP addresses and hunts down known types of vulnerabilities in the system. This could be any mistake in the system or potential weaknesses in the construction or implementation of the system.
If there is flawed software or mis-configured assets, the vulnerability scan is very likely to pick up on it. After the scan, you will receive a full report on the findings; this will normally include how severe any vulnerabilities found are and perhaps even a simple outline for how to fix them.
The results of a vulnerability scan provide a clear focus on where the technical vulnerabilities are within the organisation. With this information the organisation can create a patch management plan that enables them to manage, understand and control the open vulnerabilities that could impact their business.
A pen test is completely different and provides a much more intensive and comprehensive report of the state of your security system. The process of a pen test effectively begins as soon as the vulnerability scan ends – really delving into what could be wrong with your security system and finding out where it can be exploited.
A professional pen tester will be able to replicate what a hacker would do if they were trying to gain unauthorised access into your security system. The pen tester will get a clear picture of the architecture of your system and attempt to infiltrate it, just like a hacker would.
The purpose of this is to locate where exploitable information can easily be retrieved, but also to give you a full and detailed report on the security of your system; where the biggest weak points are and where your system may be secure. Achieving this level of test is incredibly technical, and many pen testers develop their own tools to be able to really analyse varying systems.
A penetration test provides a clear and controlled understanding of what the business impact would be if a hacker used an open vulnerability to stage an attack.
An IT manager is aware of an open vulnerability on one of the backend database systems and has been meaning to get it mitigated through patching or software upgrade. However, due to time constraints or not gaining business approval for the system to be unavailable during patching, this has not been completed. They are not that concerned as the vulnerability has no direct internet access and is separated on its own network segment.
During a penetration test the ethical hacker was able to gain access to the internal network due to a vulnerability on the perimeter firewall that was unknown to the IT department. The ethical hacker was able to bypass network separation as it was misconfigured, allowing them to gain access to the backend database without having to go through any perimeter security device such as a firewall. Due to the open vulnerability the ethical hacker was able to dump the data that was stored on the database. Unfortunately, the data in this instance was sensitive in nature and could damage the reputation of the organisation and be subject to heavy regularity fines. Now armed with this information that would never be highlighted during a vulnerability scan the IT manager has been able to articulate the business risk and its impact to senior management and has the full backing of the board and the required budget to have this vulnerability fixed.
To conclude, a vulnerability scan highlights the technical vulnerabilities and provides a patch management plan. A penetration test exposes the true business impact caused by those open vulnerabilities.
When you break the two processes down, they are incredibly different. Yet many businesses fall into the trap of paying for a ‘cheap’ pen test that is actually a vulnerability test in disguise. When it comes down to which is best for your business, both are essential to maintain comprehensive security, which is why it is essential to make sure that the pen test that you’re paying for, is actually a pen test, not an off-the-shelf vulnerability scan.
If you’re ever uncertain what exactly it is that you’re paying for, just remember: vulnerability scans find weaknesses and penetration tests exploit them.