What Is the Difference Between Vulnerability Scanning and Penetration Testing?
Posted on October 19, 2022 by Richard Osborne
A previous blog discussed the importance of penetration testing as part of a comprehensive cybersecurity strategy.
Penetration tests are first used to discover the systems that comprise the organization’s communications network and the devices that operate on those systems. Once that knowledge is gained, penetration tests are used to identify the vulnerabilities in the overall network, each system, and each device that would enable a cyberattacker to access the environment and then create havoc by exploiting those vulnerabilities.
Penetration tests are very important to every organization’s cybersecurity posture. So too, are vulnerability scans. But while penetration tests and vulnerability scans sound similar, they actually are quite different. This blog explores those differences.
Penetration tests simulate how a cyberattacker might gain access to the network environment and then what will happen to systems and devices afterward. Such tests are done manually and should be conducted quarterly, annually at a minimum. In contrast, vulnerability scans are automated processes that dive deeper into the known vulnerabilities to understand better why they exist — such understanding is the key to eliminating each vulnerability.
For example, vulnerability scanners can discern whether patch management is being conducted promptly, firewalls are correctly configured, or if devices and applications exist that shouldn’t. Vulnerability scans work hand in hand with penetration tests. Nearly every penetration test we’ve conducted has resulted in our advising the client to follow up with a vulnerability scan — which enables the organization to analyze what it learned from the penetration test.
Here's a way to think about the differences between penetration tests and vulnerability scans: a burglar will case a home to determine how to enter it and how easy it will be to do so. The burglar will check for unlocked windows and doors and whether the home has an alarm system or security cameras — that’s a penetration test. Once inside, the burglar will move from room to room to see where the most significant opportunities for mischief exist — that’s a vulnerability scan.
Aim for a Weekly Vulnerability Scan
Unfortunately, we often see that once a penetration test is completed, the report sits on a shelf or desk, never to be opened, and the more critical aspect of this due-diligence exercise — the vulnerability scan — never is conducted. That’s a big mistake.
Vulnerability scans should be conducted every week by skilled testers to make it as difficult as possible for cyberattackers to do what they do. Cyberattackers constantly evolve tactics, and new devices and applications are continually added to systems, increasing cybersecurity vulnerabilities. This becomes exponentially more vexing whenever known vulnerabilities in commonly used platforms and applications are spread widely throughout the cyberattacker community.
Even when vulnerability scans are conducted, the organization often lacks the cybersecurity and information technology (IT) resources needed to understand the findings and then craft suitable strategies for addressing them. This is particularly true of smaller organizations and of those in the public sector, which traditionally has struggled to compete with private-sector organizations for such resources.
If this has been your organization’s experience, consider contracting with a third-party consultant, such as Mission Critical Partners (MCP), to obtain the requisite experience and expertise. MCP offers a comprehensive stack of assessment capabilities based on the National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF). We perform a variety of cybersecurity assessments — including penetration testing and vulnerability scans —in a safe and controlled environment. We also offer supplemental services, such as cybersecurity awareness training and virtual chief information security officer (vCISO) support.
The virtual CISO support that we provide is especially important in today’s environment — there simply aren’t enough cybersecurity resources available today in the marketplace for every organization to secure its communications networks, systems, and devices effectively. Even if those resources were available, the budgets that many, if not most, public-sector organizations have at their disposal make it very difficult, if not impossible, to bring those assets in-house. Consequently, the only cost-effective way to go about this in many cases is to outsource.
We stand ready to help — please reach out.
Richard Osborne is MCP’s director of commercial services. Email him RichardOsborne@SecureHalo.com.