It amazes me how many people confuse the importance of vulnerability scanning with penetration testing. Vulnerability scanning cannot replace the importance of penetration testing, and penetration testing, on its own, cannot secure the entire network. Both are important at their respective levels, needed in cyber risk analysis, and are required by standards such as PCI, HIPAA, ISO 27001, etc.
Vulnerability Scanning vs. Penetration Testing
Penetration testing exploits a vulnerability in your system architecture while vulnerability scanning (or assessment) checks for known vulnerabilities and generates a report on risk exposure.
Either penetration testing or vulnerability scanning depends mostly on three factors:
- Risk and Criticality of assets
- Cost and Time
Penetration testing scope is targeted and there is always a human factor involved. There is no automated penetration testing – penetration testing requires the use of tools, sometimes a lot of tools. But it also requires an extremely experienced person to conduct penetration testing. A good penetration tester always at some point during their testing craft a script, change parameters of an attack or tweak settings of the tools he or she may be using.
It could be at application or network level but specific to a function, department or number of assets. One can include the whole infrastructure and all applications but that is impractical in the real world because of cost and time. You define your scope on a number of factors that are mainly based on risk and how important is an asset.
Spending a lot of money on low-risk assets which may take a number of days to exploit is not practical. Penetration testing requires high skilled knowledge and that’s why it is costly. Testers often exploit a new vulnerability or discover vulnerabilities that are not known to normal business processes. Penetration testing normally can take from days to a few weeks, it is often conducted once a year and reports are short and to the point. It does have a higher than average chance of causing outages.
On the other hand, vulnerability scanning is the act of identifying potential vulnerabilities in network devices such as firewalls, routers, switches, servers and applications. It is automated and focuses on finding potential and known vulnerabilities on the network or an application level. It does not exploit the vulnerabilities. Vulnerability scanners only identify potential vulnerabilities; they do not exploit the vulnerabilities. Hence, they are not built to find zero-day exploits. The scope of vulnerability scanning is business-wide, requiring automated tools to manage a high number of assets. It is wider in scope than penetration testing. Products specific knowledge is needed to effectively use the vulnerability scans product. It is usually run by administrators or security personnel with good networking knowledge.
Vulnerability scans can be run frequently on any number of assets to ascertain known vulnerabilities are detected and patched. Thus, you can eliminate more serious vulnerabilities for your valuable resources quickly. An effective way to remediate vulnerabilities is to follow the vulnerability management lifecycle. The cost of a vulnerability scan is low to moderate as compared to penetration testing, and it is a detective control as opposed to preventive like penetration testing.
Vulnerability management can be fed into patch management for effective patching. Patches must be tested on a test system before rolling out to production.
Controls & Standards
Security controls & standards highlight the importance of vulnerability scanning. For example, The Center for Internet Security (CIS) Control #3, “Continuous Vulnerability Management,” calls on security practitioners to “Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.”
Requirement 11.2 of Payment Card Industry Data Security Standard (PCI DSS) covers scanning. It states that you need to “Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.”
Both vulnerability scanning and penetration testing can feed into the cyber risk analysis process and help to determine controls best suited for the business, department or a practice. They all must work together to reduce cybersecurity risk. It is very important to know the difference; each is important and has different purposes and outcomes.
Training is also important as providing a tool(s) to your security staff does not mean that the environment is secure. Lack of knowledge in using a tool(s) effectively poses a bigger security risk. In-depth knowledge of security tools will allow your teams to bring ROI in terms of quality, a good view of an organisation’s security posture, and reducing cost and time spent on unnecessary troubleshooting.