What is the difference between Penetration Testing and Vulnerability Scanning?
s a business specialising in helping keep other businesses safe in the modern challenging always-on cyber world, we provide a broad range of security services. Two of the services we deliver for clients across a range of sectors, are penetration testing and vulnerability scanning.
Although they are both critical to the ongoing safe operation of organisations of every size, in a single location or with a global presence, there remains confusion, even amongst IT professionals, as to the need for both, and the regularity with which they should be performed.
They are different approaches to security and in our experience Penetration testing seeks to exploit a vulnerability in your system architecture and vulnerability scans check your system for known vulnerabilities to identify your exposure to risks.
What is Penetration Testing?
There are different penetration tests that can be performed, internal, external, web-application, and mobile application to name a few, but all have the same principle at heart; an experienced human with the right tools will spend time discovering vulnerabilities, then attempt to exploit as a malicious actor might.
External testing assesses the infrastructure that is accessible through the internet and usually involves firewalls, VPN’s etc. It assesses the risk of a malicious actor identifying those services and exploiting any vulnerabilities in them, whilst also attempting to ‘phish’ employees for access.
An internal test is carried out against devices within an office/organisation.
Effective internal or external penetration testing requires experience, detailed knowledge of infrastructure and systems architecture, allied to a range of skills possessed by a small number of individuals. Which is why it costs more than automated processes and should be seen as another cost of doing business.
Testers have their fingers on the pulse of the hacking world and will typically seek to exploit a new vulnerability that is unknown by the wider commercial community. Penetration testing can take anywhere from a few days to a few weeks and concludes with reports and remediation actions.
What is Vulnerability Scanning
As the term implies, vulnerability scanning is the act of identifying potential vulnerabilities in all manor of network devices and peripherals such as servers, desktops, laptops, and cloud infrastructure.
Unlike the human interaction required in penetration testing, vulnerability scanning is automated and focuses on finding potential and known vulnerabilities on the network or application levels. The point is to find vulnerabilities, not attempt to exploit them.
Being automated, it is cost-effective to run scans frequently to discover known vulnerabilities and patch them, but ideally coordinated with penetration testing to offer a more comprehensive solution that combines detection and preventative measures.
We are often asked how regularly should vulnerability scanning and penetration testing be undertaken, which depends on a number of factors: systems or network changes, new hardware or software deployment, organisational change, regulatory or compliance standards.
For example, the Payment Card Industry Data Security Standard (PCI DSS) states that an organisation must, ‘Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.’
Overall, industry best practices and compliance requirements is to perform vulnerability scanning at least every quarter, and penetration testing annually. However, in our experience, as vulnerabilities are continuing to be discovered at an increasing rate, organisations should go above compliance requirements. Many illume clients have opted for monthly vulnerability scans and bi-annual penetration testing. The decision for every organisation is driven by how much risk they are prepared to accept against the cost of regular vulnerability scanning and at least yearly penetration testing.
Different but equally important
Vulnerability scanning and penetration testing inform your cyber risk analysis and help determine the controls needed at the business, department and individual level. The reports provided will typically highlight the need for better education of employees, who remain the weakest security link.
Why use external security specialists like illume? Because using the right tools in the wrong way yourselves can create a security risk. Our team has the deep knowledge of the appropriate security tools and their use, to guarantee an effective solution that will improve your security and help keep you safe in the future.
If you still need convincing about the need for vulnerability scans and penetration testing, check back for regular updates when we go into more detail. However, if you want to assess your security accurately and close holes before others find them, please get in touch today.
Interested in learning more about illume? Read our why illume page.
