Monthly Archive December 2016

What is the difference between a penetration test and a vulnerability scan?


Penetration testing and vulnerability scanning are sometimes confused. After all, they sound as if they might do a similar job. But there are important differences.

Also known as vulnerability assessments, vulnerability scans assess computers, systems, and networks for security weaknesses, also known as vulnerabilities. The benefits of a vulnerability scan are obvious: quick, affordable and because they are automatic, they can be scheduled to run on a regular basis. To configure a vulnerability scan, you usually set up an account with an automated scanning tool and enter the details of the device (or devices) that you want to have scanned – and off you go.

But beware: vulnerability scans may provide false reassurance. They are a passive approach to vulnerability management, because they don’t go beyond reporting on vulnerabilities that are detected. The scans are generally of a prescribed nature, in that they are checking for known issues and patches according to a database. They do not inform about the potential exploitation of vulnerabilities nor how to reliably manage remedial action. By their very nature, they cannot understand or anticipate the complex ingenuity of sophisticated human hackers. It simply shows you where your weaknesses may be.

A penetration test on the other hand, simulates a hacker attempting to get into a business system through the exploitation of vulnerabilities, which is why they are sometimes referred to as ‘ethical Hacks’. But unless properly scoped by experienced professionals, a penetration test is limited by what it is asked to do. Because it cannot think for itself. This is where the value of ‘scoping’ comes in. A correctly-scoped penetration test utilises the most important tool in the penetration test armoury: the human mind. A penetration tester will often start out with a similar set of tools, including the use of a vulnerability scan but this is where the penetration test deviates and begins to delve much deeper in the security of a network, applications and the underlying operating system.

A qualified penetration tester is able to think laterally; using both training and experience to analyse and synthesise.  They will put themselves into the mind of a hacker and have the imagination to anticipate possible future weaknesses. Penetration testers provide a deep look into the data security of an organisation and typically, their reports are meticulously detailed and contain a description of attacks used, testing methodologies, and suggestions for remediation.

So how should you best use vulnerability scans and penetration tests? Well, ideally, both tests work together to encourage optimal network security. Vulnerability scans are great for a weekly, monthly or quarterly insight into your network security, while penetration tests are a very thorough way to really put your network security under the microscope. Of course, penetration tests are more expensive, but having a professional examine every nook and cranny of a business the way a real world attacker would, may save a great deal of money in the long run.

A Cautionary Christmas Tale


‘Twas the night before Christmas, and all through the house,

Not an iPad was stirring, nor PC or Mouse;


The shopping had been done on the internet with care,

In hope that the presents soon would be there;


The payments were processed, at least in their heads,

Until they found out their account was in shreds;


What should have resulted in toys in gift wrap;

Had led them into an elaborate trap,


The fraudsters had found an outdated website;

And changed the checkout so it wasn’t quite right,


Away to the next site, Dad went like a flash;

Not knowing his card was in the fraudsters stash


The website looked fine but ‘twas misdirection;

He’d fallen foul of Sequel Injection,


The site wasn’t bad, that should be made clear;

But the standards ignored, no PCI here.


With hackers so many, so lively and quick;

The change was so easy, it was done in a click,


So please spare a thought, when you next do your shopping,

And check that the site that you found while you’re hopping,


Is up to the standard to which we’re reliant;

And make sure it’s one that is PCI compliant.


Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

SRM Blog

SRM Blog