It amazes me how many people confuse the importance of vulnerability scanning with penetration testing. Vulnerability scanning cannot replace the importance of penetration testing, and penetration testing on its own cannot secure the entire network.
Both are important at their respective levels, needed in cyber risk analysis and are required by standards such as PCI, HIPAA and ISO 27001.
Penetration testing exploits vulnerabilities in your system architecture, while vulnerability scanning (or assessment) checks for known vulnerabilities and generates a report on risk exposure. Both penetration testing and vulnerability scanning depend mostly on three factors:
- Risk and criticality of assets
- Cost and time
Penetration testing scope is targeted, and there is always a human factor involved. There is no such thing as automated penetration testing. It requires the use of tools, sometimes a lot, but it also requires an extremely experienced person to conduct the testing.
A good penetration tester always—at some point—crafts a script, changes the parameters of an attack and/or tweaks the settings of the tools (s)he is using during a test.
Penetration testing can operate at the application- or network-level or be specific to a function, department or a number of assets. Alternatively, one can include the whole infrastructure and all applications. But that is impractical in a real-world scenario because of cost and time.
You define your scope on a number of factors, which are mainly based on risk and the importance of an asset. Spending a lot of money on low-risk assets that may take several days to exploit is not practical. After all, testing requires high-skilled knowledge, and that’s why it is costly.
Additionally, testers often exploit a new vulnerability or discover security flaws that are not known to normal business processes, something which can take from days to few weeks. Because of its cost and its higher-than-average chance of causing outages, penetration testing is often conducted once a year. All reports are short and to the point.
On the other hand, vulnerability scanning is the act of identifying potential vulnerabilities in network devices such as firewalls, routers, switches, servers and applications. It is automated and focuses on finding potential and known vulnerabilities on the network- or application-level. It does not exploit the vulnerabilities. Vulnerability scanners merely identify known vulnerabilities and hence are not built to find zero-day exploits.
Vulnerability scanning scope is business-wide and requires automated tools to manage the high number of assets. It is wider in scope than penetration testing. Product-specific knowledge is needed to effectively use the product of vulnerability scans, which are usually run by administrators or a security person with good networking knowledge.
Vulnerability scans can be run on any number of assets to ascertain known vulnerabilities. You can then use those scans to eliminate more serious vulnerabilities affecting your valuable resources quickly using the vulnerability management lifecycle.
The cost of a vulnerability scan is low to moderate compared to penetration testing, and it is a detective control as opposed to a preventive measure like penetration testing.
The Center for Internet Security (CIS) is a good point of reference for examining the core differences between vulnerability scanning and penetration testing. CIS maintains an actionable, prioritized list of 20 foundational security controls widely accepted as an authoritative guide to cybersecurity best practices.
Control #3, “Continuous Vulnerability Management,” calls on security practitioners to “Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.” Since the CIS Controls are prioritized, this particular control holding a spot in the top six “basic controls” is an indicator of how fundamental and necessary it is to any security program.
The control “Penetration Tests and Red Team Exercises: Test the overall strength of an organization’s defense (the technology, the processes, and the people) by simulating the objectives and actions of an attacker” is at the #20 spot on the controls list. Even though it takes last place, it’s still important enough to be included in the top 20 best practices, but it’s certainly less critical than the controls that come before it on the list.
Both vulnerability scanning and penetration testing can feed into a cyber risk analysis process and help determine controls best suited for the business, department or practice. They must work together to reduce risk, but to get the most out of them, it is very important to know the difference, as each is important and has a different purpose and outcome.
To learn more about how Tripwire can help you scan for vulnerabilities, click here.