Cyber SecurityUnderstanding the Differences between Penetration Testing and Vulnerability Scanning
Published: October 5, 2021
By: Herm Cardona
Penetration testing and vulnerability scanning are two vastly different ways to check the security of your systems and infrastructure. They don’t use the same methods, nor do they involve the same kinds of checking, so it’s important to know how they differ.
Vulnerability scanning is done using automated software tools that generate a report of possible security vulnerabilities. The tools don’t try to exploit your systems and infrastructure, nor do they offer ways to fix the vulnerabilities they find. More importantly, you must determine yourself which vulnerabilities are actually exploitable and which you can safely ignore.
Penetration testing is done by humans. These humans are known as ethical hackers. Ethical hackers don’t just look at your systems and infrastructure. Instead, they attack your systems using the same tools that a malicious attacker would employ in the real world.
If the penetration tester is successful in exploiting a vulnerability, it becomes a “finding.” If the vulnerability is not exploitable, or is otherwise mitigated by security controls, then it can be safely downgraded or ignored. Whereas a vulnerability scan produces just raw data, a penetration test provides contextual and actionable results.
Why Would Threat Actors Come After Us?
Small and medium-sized businesses often think that threat actors carefully pick their targets. They believe that large businesses are specifically targeted by unethical hackers because of their sizes and their assets (the bigger they are, the bigger the theft, identity exposure, ransomware payment, etc.).
The reality is quite different. Threat actors cast a wide net that looks at everything that’s connected to the internet. That includes your small or medium-sized business. So, if you’ve got security holes, they’ll find them and they will exploit them. It’s not a question of whether you will have a cyber attack, but when.
Why Would You Do a Vulnerability Scan?
You might have a partner your company connects to (or that connects to your company) and you’re worried about your security now that you’ve opened up your systems and infrastructure to a third-party platform.
So, your IT team looks for a vendor with a software tool to scan for potential security vulnerabilities. Beware of vendors who promise full security of your systems, but they use only vulnerability scanning tools and do not provide penetration testing with experienced penetration testers.
Once the vulnerability scanner runs, your IT team gets a report that says it’s unlikely there will be any issues with the new platform. Or it points out a few problems that you fix. Now you think you are safe; that it’s time to check the box and move on to something else.
But is that enough proof that nobody can manipulate your systems and infrastructure? Unfortunately, no. Since vulnerability scanning doesn’t infiltrate, it doesn’t prove that your security is buttoned up (or not).
Vulnerability scanners are only as good as the library of known issues that they search for. Zero-day and newly discovered vulnerabilities will not be detected. Vulnerabilities resulting from poor application design, misconfiguration, insecure coding practices, or insecure deployment will not be detected. And since vulnerability scanning doesn’t usually exploit, it doesn’t prove anything about the actual risk to your information resources.
One of the challenges with vulnerability scanners is that they are almost guaranteed to report on false positives. For example, the report might indicate that one of your system’s web applications is critically insecure. But it may not be, if the system is on an internal network and accessible only through a virtual private network (VPN).
Once your IT team has eliminated the false positives and addressed the potential problems, your application will be more secure, but the only sure way to know that your systems and infrastructure are truly secure is to have a hacker hack them. Just make sure your hacker is wearing a white hat.
Penetration testing does what vulnerability scanning cannot. Penetration tests are done by real people, whereas vulnerability scanning is done by software. No matter how sophisticated vulnerability scanners are, they cannot perform the all-inclusive, drill-down cyber security testing that people can do (at least not yet!).
Although penetration testing is often performed in a test environment, the most effective tests are run on production systems. This is to ensure that the system is secure as currently deployed.
If necessary, dangerous activities can be excluded in the rules of engagement for the penetration test. For example, social engineering, client-side attacks, and denial of service attacks are normally prohibited. Additionally, if your system crashes during a vulnerability scan, the system is probably unstable and vulnerable to simple denial of service attacks. Wouldn’t you rather know?
How Do Penetration Testers Work with Your IT Team?
Your IT team might feel confident that they’ve fully secured your systems, so they may feel threatened when you have a penetration test done. They should not. The penetration testing team will work with them to show them where your systems can be exploited and how to fix the security holes.
Some penetration tests are done using a red/blue team approach, where the red team (the penetration testers) takes an offensive “assume breached” position. That means they have already gotten into your systems through an open entry point. From there, they will aggressively see how far they can go and how much could be exploited by a threat actor.
The blue team (your IT team) takes a defensive approach to detect, identify, contain, and eliminate every cyber threat from the red team. In essence, the blue team’s job is to protect everything. This non-threatening approach serves two purposes: your IT team is engaged in the penetration test and they learn about security vulnerabilities they may not have thought about or known about.
What Kinds of Things Do Penetration Testers Find?
One of the key parts of penetration testing is creating a report that details all the security vulnerabilities in your systems. For example, if you have databases that are not secured properly, the penetration testing team will show you how they can be exploited.
There are many examples we could share with you. But, here are just a few:
- Exposed databases storing cleartext credentials (logins and passwords) or credentials are hashed with weak hashing algorithms. The only secure way to store credentials so that they can’t be exploited is to hash them.
- Exposed sensitive personal identification information (PII). This can include Social Security numbers, financial records, driver’s license numbers, and medical records.
- Exposed sensitive company information that could negatively affect your company’s reputation, competitiveness, and revenue.
- Misconfigured Microsoft Active Directory gives unauthorized access or privileges to a low-integrity user or process.
What Penetration Testers Can Do That Vulnerability Scanners Cannot
After you’ve run a vulnerability scan, you get a report of the scan’s findings. But the report doesn’t tell you the real exposure of what it found; it simply doesn’t know. Further, there are almost always vulnerabilities to be found that a scanner will never find.
That’s why penetration testers are so vital to ensuring your system and infrastructure security. Penetration testers use vulnerability scans to identify potential vulnerabilities. In addition to that, penetration testers run customized, in-depth scans based on the nuances of your applications or network that a vulnerability scan will miss. Penetration testers also look for vulnerabilities that are so new that scans aren’t programmed to find them.
Penetration testers then try to exploit the vulnerabilities they find. For example, the scan may indicate that your website is exposed to cross-site scripting. That’s certainly bad. But the penetration test will tell you if that actually exposes sensitive information such as Social Security numbers or credit card numbers, as well as the actual risk level based on likelihood of occurrence and the severity of successful exploitation.
Once these vulnerabilities have been exploited, your penetration testing team will give you a detailed report of their findings. They will then help you remedy those vulnerabilities, in the process passing on to your team the valuable knowledge of their experience.