Two of the most common questions clients ask are: What’s the difference between a vulnerability scan and penetration test and what option is best for my company? The differences between a vulnerability scan and penetration test are often confused. Let’s take a look at the key differences between the two options and paint a clearer picture on what option you should choose for your company.
|Vulnerability Scanning||Penetration Testing|
|Definition||Vulnerability scanning, also known as a vulnerability assessment, is the process of scanning for known vulnerabilities in a network using automated tools, such as Nessus, Nexpose, or OpenVAS.||Penetration testing, also know as pentesting or ethical hacking, is the process of scanning and exploiting vulnerabilities on a network through automated and manual methods.|
|Methodology||An engineer will run a vulnerability scan against a defined scope on an internal or external network. The engineer will compile a report based on the vulnerability scan findings.||An engineer will go beyond the vulnerability scan and attempt to find additional vulnerabilities through manual testing. The engineer will also attempt to exploit all vulnerabilities found in hopes of breaking into systems and gaining sensitive access.|
|Pros||1) Helps identify risks and vulnerabilities and patch management|
2) Cost-effective (around $1,000-$5,000)
3) Allows for risk prioritization. Defenders can address high-priority risks first.
|1) Hands-on approach that goes beyond automation|
2) Confirms exploitation and helps reduce false positives
3) Potentially identifies previous network compromises
4) Assists defenders with identifying scans and attacks to fine-tune the SIEM
|Cons||1) Fully automated, with no “hands-on” approach|
2) Higher likelihood of false positives due to no engineer verification
3) Not guaranteed to scan or identify all systems in the network
|1) Significantly more expensive than a vulnerability scan, depending on network size and scope|
2) Not guaranteed to find and exploit all vulnerabilities in a network
3) Only a snapshot in time. A new vulnerability could arise after testing.
|Testing Frequency||Many compliance standards, such as HIPAA and PCI-DSS dictate for quarterly vulnerability scanning. It is also recommended to scan all critical devices monthly and all new devices fully prior to being brought online.||At a minimum, it is recommended that companies conduct a penetration test on a yearly basis. However, some compliance standards dictacte that testing be performed at a higher rate, such as bi-annually.|
The chart above identifies vulnerability scanning as a highly automated process, that is quick to perform, relatively cheap, and will help address potential high-risk vulnerabilities. Vulnerability scanning also helps with patch management and prioritization. Vulnerability scans are a great way to identify quick patching.
Often, companies are recommend to conduct a penetration test before ever performing a vulnerability scan. While vulnerability scanning does not go “hands-on” like penetration testing, it provides a company with a general overview of needs that might need to be addressed immediately. If a company is not performing vulnerability scans on a regular basis, a penetration test may only scratch the surface. For example, if Acme Company has never performed vulnerability scan and purchases a penetration test, the test may identify vulnerabilities, but miss others due to scope and time restrictions. On the other hand, if Acme Company performs consistent vulnerability scanning and patching, a penetration tester has the ability to “dive into the weeds” and look for much more manual and hidden vulnerabilities with his or her allotted time.
A combination of both choices, with quarterly vulnerability scans and an annual penetration test is considered the best methodology.
With that being said, some questions you should ask yourself prior to purchasing a vulnerability scan and/or penetration test are:
If your answer is yes to any of the above, a vulnerability scan and/or penetration test should be considered.
In summary, vulnerability scanning and penetration testing are vastly different options that can be performed against a network. A company that is newer to it’s cybersecurity focus should opt for vulnerability scanning as a first choice. Once initial vulnerabilities are found and a solid patch management process is in place, a penetration test should be considered. Companies that are more mature in their security posture should opt for penetration testing to further enhance their posture and strengthen their defenses. Overall, it is best to combine vulnerability scanning and penetration testing into a balanced attack to comprehensively improve your security posture.