Understanding penetration testing versus vulnerability scanning and using them both properly will help your organization identify cybersecurity weaknesses and determine how likely they are to be exploited.
The average organization experienced more than 53,000 security incidents that compromised the integrity, confidentiality, or availability of information assets between November 2016 and October 2017, according to the 2018 Verizon Data Breach Investigations Report. Researchers confirmed 2,216 data breaches in which information was exposed to an unauthorized party during that same period.
“To truly manage vulnerabilities and not play Whac-A-Mole with scan findings,” researchers wrote, “you need to trust your asset management, understand how your vulnerabilities fit into the context of your organization and be able to analyze the paths attackers might take in that context.”
Vulnerability scanning and penetration testing help you determine where and how attackers may strike. Then you can prioritize your remediation efforts to better protect sensitive information such as your customers’ data.
Penetration testing tries to exploit weaknesses in your defenses. Third-party vendors attempt to uncover weaknesses—such as insecure business process, lax security settings, and forgotten databases storing valid user credentials—and to show the damages that could result, according to a Secureworks article on vulnerability scanning vs. penetration testing.
Penetration testing is typically done annually. It should meet the requirements for established regulatory and compliance standards such as PCI DSS, FISMA, MARS-E, HIPAA, and Sarbanes-Oxley.
Types of penetration testing include:
The Institute for Security and Open Methodologies (ISECON) and the Open Web Application Security Project (OWASP) offer commonly accepted penetration testing methodologies.
Vulnerability testing searches your network for known threats. It is often done by internal team members who use off-the-shelf software such as OpenVas or Nessus to scan IP addresses for vulnerabilities such as susceptibility to the Heartbleed bug.
According to a CSO article on the difference between a vulnerability scan, penetration test, and a risk analysis, “It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them.”
Customers often require vendors to undergo vulnerability scanning and assessment at least quarterly to keep abreast of emerging threats. This may include:
Penetration testing and vulnerability scanning both identify weaknesses. You can also prioritize your efforts to remediate those weaknesses based on those reports.
Additional similarities between penetration testing and vulnerability scanning include the parts of your network they probe and the regularity with which they occur. You may also be required to do both to comply with regulations or contractual obligations with your customers, particularly if you are a banking, retail, healthcare, or software as a service organization that is responsible for protecting client data.
Whereas vulnerability scanning can show you when equipment could be compromised, penetration testing identifies and reduces weaknesses, according to the Secureworks article.
Also, Secureworks recommends that you do vulnerability scanning more frequently—at least quarterly, as well as whenever new equipment is loaded or your network undergoes “significant changes.” Penetration testing also should be done whenever such changes occur, but once or twice a year should suffice otherwise.
Lastly, though you probably will get consistent results from vulnerability scans performed by your internal team with off-the-shelf software, the effectiveness of your penetration testing will depend on the experience and expertise of your third-party vendor.
The CSO article recommends the following uses:
Considering penetration testing vs. vulnerability scanning is like pondering exercise vs. healthy eating. Both are good for you, but you must do them together to maximize the benefits.
Knowing the differences between penetration testing and vulnerability scanning will help you protect against data breaches so that your company can continue to do what it does.