A common question asked by our clients is “Should we have a vulnerability scan or a penetration test and what’s the difference?” While both aim to identify security weaknesses they differ in both scope, depth and results. In this article we are going to answer this question and detail the benefit of each.
What is a vulnerability scan?
A vulnerability scan is an automated process using software to identify security weaknesses using a database of known vulnerabilities across a network or application. Regularly updated with the latest vulnerabilities the tools will periodically scan the company assets for new threats and alert the security or support team.
Vulnerability scans can be run daily, weekly, monthly or ad-hoc allowing for new vulnerabilities to be discovered quickly and patched before being exploited. Because of this they are cost effective as once you have purchased and deployed the software you can run it as many times as you want until the license expires (this varies depending on the vendor).
Typically, vulnerability scans are safe to run on the network as they do not actually exploit any discovered vulnerabilities. This minimises the risk to the systems and services.
The downside to vulnerability scanning is it can produce a large volume of false positives and not detect vulnerabilities it doesn’t have in its database. I like to think of a vulnerability scan similar to “if this then that” approach. For example, if the scanner detects OpenSSH 7.4 running on a system, it will report every vulnerability in its database the system could be vulnerable to based on the SSH version. While useful it doesn’t take other aspects in to consideration or attempt to validate the findings.
What is a penetration test?
A penetration test is a security assessment conducted by a pentester or ethical hacker. Pentester’s are trained to simulate cyberattacks against an organisation’s infrastructure, applications and even employees to identify risks, weaknesses and vulnerabilities. These findings are then reported and presented to the organisation along with actionable remediation advice.
When a pentester conducts an assessment, they use a combination of manual and automated attack techniques including a vulnerability scanner to identify vulnerabilities, this approach provides accurate and valid findings. The manual approach to assessing a target allows for new vulnerabilities to be discovered and a tester to use their experience and intuition to identity real-world risks.
Because pentesting is a manual process it’s typically conducted quarterly or annually as the cost of a pentest is often higher than a vulnerability scan. A pentest is referred to as a snapshot in time assessment, with the findings only being accurate at the time of the test. If the network or application is changed once the assessment is complete the findings could be invalidated and the organisation at risk of new vulnerabilities. Regular pentesting is recommended to mitigate this risk.
So, which is better?
Both vulnerability scanning and pentesting have a place in helping to secure organisations, the decision on which is better or more relevant depends on an organisation security posture and risk profile.
If an organisation has never had a pentest or vulnerability scan before then running a vulnerability scan will quickly highlight any high-risk areas to allow for them to be patched and mitigated quickly. However, it will not provide a full insight into the organisation potential risk. A pentest would be required to identity a deeper understanding of the organisations attack surface and vulnerabilities.
Many clients are implementing a hybrid of the two. Annual penetration tests of the infrastructure and applications and monthly vulnerability scans. This approach ensures that if a vulnerability is discovered it’s detected and resolved before the next annual assessment.
Conclusion
Both pentesting and vulnerability scanning play crucial roles in an organisation’s cyber security strategy. While pentesting offers a more in-depth, hands-on approach to identifying vulnerabilities, vulnerability scanning provides a quick and efficient way to detect known security issues.
When Securebytes consultants conduct a penetration test for a client, vulnerability scanning is used in conjunction with manual enumeration and validation of any findings to ensure clients are being provided with accurate and comprehensive results.
For more information or to discuss further please contact us at info@securebytes.co.uk or visit https://securebytes.co.uk/contact-us.