What is the difference between a penetration test and a vulnerability scan?
Penetration testing and vulnerability scanning are sometimes confused. After all, they sound as if they might do a similar job. But there are important differences.
Also known as vulnerability assessments, vulnerability scans assess computers, systems, and networks for security weaknesses, also known as vulnerabilities. The benefits of a vulnerability scan are obvious: quick, affordable and because they are automatic, they can be scheduled to run on a regular basis. To configure a vulnerability scan, you usually set up an account with an automated scanning tool and enter the details of the device (or devices) that you want to have scanned – and off you go.
But beware: vulnerability scans may provide false reassurance. They are a passive approach to vulnerability management, because they don’t go beyond reporting on vulnerabilities that are detected. The scans are generally of a prescribed nature, in that they are checking for known issues and patches according to a database. They do not inform about the potential exploitation of vulnerabilities nor how to reliably manage remedial action. By their very nature, they cannot understand or anticipate the complex ingenuity of sophisticated human hackers. It simply shows you where your weaknesses may be.
A penetration test on the other hand, simulates a hacker attempting to get into a business system through the exploitation of vulnerabilities, which is why they are sometimes referred to as ‘ethical Hacks’. But unless properly scoped by experienced professionals, a penetration test is limited by what it is asked to do. Because it cannot think for itself. This is where the value of ‘scoping’ comes in. A correctly-scoped penetration test utilises the most important tool in the penetration test armoury: the human mind. A penetration tester will often start out with a similar set of tools, including the use of a vulnerability scan but this is where the penetration test deviates and begins to delve much deeper in the security of a network, applications and the underlying operating system.
A qualified penetration tester is able to think laterally; using both training and experience to analyse and synthesise. They will put themselves into the mind of a hacker and have the imagination to anticipate possible future weaknesses. Penetration testers provide a deep look into the data security of an organisation and typically, their reports are meticulously detailed and contain a description of attacks used, testing methodologies, and suggestions for remediation.
So how should you best use vulnerability scans and penetration tests? Well, ideally, both tests work together to encourage optimal network security. Vulnerability scans are great for a weekly, monthly or quarterly insight into your network security, while penetration tests are a very thorough way to really put your network security under the microscope. Of course, penetration tests are more expensive, but having a professional examine every nook and cranny of a business the way a real world attacker would, may save a great deal of money in the long run.