ANS Blog

Vulnerability Scan vs. Pen Test: What’s the Difference?

January 22, 2019 in Security Awareness

Vulnerability Scan vs. Pen Test: What’s the Difference?

Why Security Testing is Important

Each day, organizations of every size are being attacked from a multitude of angles and from all parts of the world.  Many believe their network is safe because they have basic defenses, like a firewall and anti-virus software, in place. At the same time, very few have actually tested these defenses.  

What so often isn’t realized, is that the vast majority of cyberattacks aren’t specifically targeting individual organizations. Instead, hackers are actually remotely running bots (short for web robots) that scan the public internet for vulnerabilities. Because bots automate the attack process, they’re designed to seek out vulnerable, internet-facing systems on a large scale, and break into as many devices as possible. This “outside-in” attack is one approach commonly used. Another extremely popular approach used by hackers to exploit vulnerable systems, is by working from the inside-out. This involves sending phishing emails or hijacking websites and waiting for an unsuspecting employee to interface with it and “click.” Armed with its malware-laden payload, the email or link then executes software designed to take advantage of a system vulnerability, to gain access or encrypt a network device.

In either scenario, vulnerable network systems— typically ones that haven’t been properly patched or are configured incorrectly— become easier targets for cyber attackers.

Vulnerability Scanning versus Pen Testing: What’s the Difference?

There are two security assessments that are commonly recommended by security professionals to help organizations identify and remediate their security gaps. One of them is vulnerability scanning, the other is penetration testing (also called "pen testing"). There’s a substantial amount of confusion within in the IT industry with regard to the difference between these two assessments. So much so, that many times the two terms are incorrectly used interchangeably.

While both assessments can play an important role in improving your organization’s security posture, they are two very different ways to test your systems for vulnerabilities.  Before starting the process of hiring a vendor for either one or both of these security assessments, it is important to understand the differences between them to be sure that your organization is getting what it wants and needs based on your business requirements. For reasons which are explained later, a penetration test is significantly more expensive than a vulnerability scan. So, if you really only require a vulnerability scan, then it may not be worth spending the additional money on a pen test.

Option 1: Vulnerability Scanning

Vulnerability scans provide a list of known potential vulnerabilities detected in your systems, services, applications, or as a result of mis-configurations. These scans can be performed internally, within the network, as well as from outside the network.  After scan completion, a report will be generated and each vulnerability will be prioritized by severity and/or business criticality along with recommendations for remediation to reduce or remove the risk. Armed with the list of discovered vulnerabilities, an organization can apply the required updates and patches, remediate mis-configurations, and/or confirm that a potential vulnerability is really a false positive, then rerun the scan. Vulnerability scans are usually performed using automated tools, with some manual support, and can take anywhere from several minutes to several hours to complete. As a result, they are a cost-effective assessment that can be scheduled to run quarterly, monthly, or even weekly. Once an initial vulnerability scan is run, its results can provide a baseline for comparison with future scans as part of an ongoing vulnerability management program.  With all of this said, it’s important to underscore that vulnerability scanners operate using a list of known vulnerabilities. Meaning ones already known to the security community, hackers and the software vendors. But there are still vulnerabilities that are unknown to the public at large, along with hundreds of thousands of new variants of malware (often referred to as zero-day threats) which a vulnerability assessment won’t find.

Option 2: Penetration Testing

Unlike vulnerability scanning—which is automated, high-level testing that looks for and reports potential vulnerabilities, penetration testing is a more exhaustive, live examination designed to prove that vulnerabilities can actually be exploited. Also known as “ethical hacking,” pen testing is a systematic, highly- defined test with specific parameters. It safely allows an organization to measure how well its security posture and controls will stand up to real, concerted internal and external threats. It’s a goal-oriented exercise that uses a combination of automated and manual methods to see if unauthorized access to information assets is possible. These tests are carried out by very experienced and technical security analysts who use the same techniques as hackers. Typically, the reports generated for pen tests are long, highly detailed, and contain a description of attacks used, methodologies, and suggestions for remediation. Because of their complexity, they’re designed to be performed annually (or after any significant change to the network), can take anywhere from days to weeks to complete and, due to a significant level of depth, are much more expensive.

Vulnerability Scans vs. Pen Testing: Which One is Better?

So, is a penetration test better than a vulnerability scan? It depends on what goals and objectives you intend, or need, to accomplish.

Depending upon the industry you operate in, completion of one or both of these assessments can be required for regulatory compliance (PCI-DSS, HIPAA, GLBA and Sarbanes Oxley among others). And while performing and “passing” these assessments in no way guarantees security, performing them can definitely provide higher levels of validated insight into the security risks actually facing your organization.

Penetration testing is a very aggressive approach to finding and removing very specific vulnerabilities. It’s typically more useful when an organization’s maturity level of security is high—meaning, that it has a strong security posture but needs to check whether or not it’s actually hack-proof. So, generally speaking, using a pen test makes more sense where the vulnerability coverage approach—namely, depth over breadth—is needed. Smaller organizations, working with limited resources, will often perform an asset-focused analysis to decide whether or not a pen test makes the most sense. This approach focuses on identifying the assets that are most likely to be targeted by an attacker, what their value is, and what the impact of their loss would be. Logically, you wouldn’t spend $50,000 on an asset worth $5,000; nor would you skimp when it comes to protecting millions of dollars’ worth of digital assets either. Logically, it makes sense that your level of investment in testing should be commensurate to the value of what you’re protecting. With that said, regularly performed internal and external vulnerability scans, conducted using industry-leading management tools, can help a small to mid-sized organizations cost-effectively manage the highest priority vulnerabilities that place their business systems at risk.

If you are interested in learning more about our security assessment services, contact us for a no-obligation consultation. Our cost-effective cybersecurity testing and programs are designed specifically for small to mid-size organizations. We provide all the tools and actionable intelligence you need to meet regulatory requirements and focus your network security resources on issues with the highest business impact.