When selecting a strategy to validate proper controls, you'll want to consider the differences of...
Penetration Testing vs Vulnerability Scanning—Knowing the Differences
Understanding penetration testing versus vulnerability scanning and using them both properly will help your organization identify cybersecurity weaknesses and determine how likely they are to be exploited.
The average organization experienced more than 53,000 security incidents that compromised the integrity, confidentiality, or availability of information assets between November 2016 and October 2017, according to the 2018 Verizon Data Breach Investigations Report. Researchers confirmed 2,216 data breaches in which information was exposed to an unauthorized party during that same period.
“To truly manage vulnerabilities and not play Whac-A-Mole with scan findings,” researchers wrote, “you need to trust your asset management, understand how your vulnerabilities fit into the context of your organization and be able to analyze the paths attackers might take in that context.”
Vulnerability scanning and penetration testing help you determine where and how attackers may strike. Then you can prioritize your remediation efforts to better protect sensitive information such as your customers’ data.
What Is Penetration Testing?
Penetration testing tries to exploit weaknesses in your defenses. Third-party vendors attempt to uncover weaknesses—such as insecure business process, lax security settings, and forgotten databases storing valid user credentials—and to show the damages that could result, according to a Secureworks article on vulnerability scanning vs. penetration testing.
Penetration testing is typically done annually. It should meet the requirements for established regulatory and compliance standards such as PCI DSS, FISMA, MARS-E, HIPAA, and Sarbanes-Oxley.
Types of penetration testing include:
- Network & Systems
- Web Application
- Mobile Application
- Wi-Fi
- Physical
The Institute for Security and Open Methodologies (ISECON) and the Open Web Application Security Project (OWASP) offer commonly accepted penetration testing methodologies.
What Is Vulnerability Testing?
Vulnerability testing searches your network for known threats. It is often done by internal team members who use off-the-shelf software such as OpenVas or Nessus to scan IP addresses for vulnerabilities such as susceptibility to the Heartbleed bug.
According to a CSO article on the difference between a vulnerability scan, penetration test, and a risk analysis, “It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them.”
Customers often require vendors to undergo vulnerability scanning and assessment at least quarterly to keep abreast of emerging threats. This may include:
- External and internal network vulnerability assessments to provide a comprehensive report of vulnerabilities across your infrastructure along with detailed remediation guidance.
- PCI DSS Approved Scanning Vendor (ASV) vulnerability scans to ensure that ASV scans for organizations that handle payment card data meet PCI DSS requirements for vulnerability scanning.
How Are They the Same?
Penetration testing and vulnerability scanning both identify weaknesses. You can also prioritize your efforts to remediate those weaknesses based on those reports.
Additional similarities between penetration testing and vulnerability scanning include the parts of your network they probe and the regularity with which they occur. You may also be required to do both to comply with regulations or contractual obligations with your customers, particularly if you are a banking, retail, healthcare, or software as a service organization that is responsible for protecting client data.
How Are They Different?
Whereas vulnerability scanning can show you when equipment could be compromised, penetration testing identifies and reduces weaknesses, according to the Secureworks article.
Also, Secureworks recommends that you do vulnerability scanning more frequently—at least quarterly, as well as whenever new equipment is loaded or your network undergoes “significant changes.” Penetration testing also should be done whenever such changes occur, but once or twice a year should suffice otherwise.
Lastly, though you probably will get consistent results from vulnerability scans performed by your internal team with off-the-shelf software, the effectiveness of your penetration testing will depend on the experience and expertise of your third-party vendor.
How Would You Use Each and for What Purposes?
The CSO article recommends the following uses:
- Vulnerability scanning – Scan your internal network for missing vendor patches and your external network for threats such as the Heartbleed bug.
- Penetration testing – Determine how much damage attackers could do by exploiting your known vulnerabilities, as well as looking for unknown threats.
Considering penetration testing vs. vulnerability scanning is like pondering exercise vs. healthy eating. Both are good for you, but you must do them together to maximize the benefits.
Knowing the differences between penetration testing and vulnerability scanning will help you protect against data breaches so that your company can continue to do what it does.