You’re here because you want to know the difference between a vulnerability assessment and penetration testing.
Well, we’re here to tell you the question isn’t which one to use. The question is which one you should use first.
But let’s back up for a second and understand why we do these scans and tests in the first place.
The purpose of cyber security testing
Cyber security experts conduct scans and tests to mitigate risk. Risk is a natural part of life and business. But we can take measures to avoid risks, such as introducing 2FA, secure passwords, and well-maintained code.
A risk only becomes a vulnerability when there is little standing between the potential exposure and the action that may make it an active vulnerability. To mitigate risk, you can create back-ups, implement multiple levels of security, and continually scan for new areas of risk.
Scanning is done to find a potential threat. Ideally, you will then identify how likely that threat is and take steps to mitigate the vulnerability’s potential to be exploited.
Sometimes we also scan or test to meet legal requirements. For example, organisations that handle consumer payment data must do a vulnerability scan every 90 days to meet PCI compliance.
Penetration testing and vulnerability scanning both identify risk but at a different level of detail. And so, as we’ll explain, the question is less ‘this vs that’ and more ‘which to do first’.
What is vulnerability scanning?
Vulnerability scans are (almost) fully automated security scans. They aim to find potential vulnerabilities that could be exploited. These scans passively look for vulnerabilities using the same automation techniques most hackers use. All of which takes out the guesswork and builds a list of starting points for breaking into a digital system. But these scans don’t really identify what would happen in an actual attack.
Cyber security firms conduct vulnerability scans with credentials and as non-credentialed scans. The two tests find different vulnerabilities available if the hacker had previously managed to phish a password.
Continuous vulnerability scanning is also an affordable way to test baseline configurations and validate if patches are correctly installed. Some other common elements a vulnerability scan may highlight are open or available ports and outdated software.
As we mentioned before, because they are relatively straightforward to run, vulnerability scans are often used as a basis for legal compliance. A typical example is for businesses that handle consumer payment data to complete a scan every 90 days to meet PCI compliance.
What is penetration testing?
Penetration tests actively find, chain together, and try to exploit vulnerabilities. It is a very manual process where an expert will actively try to get into your database. This hands-on approach provides a much more complete picture of your security.
Because of the hands-on nature of a penetration test, you’ll often do a vulnerability scan or another form of automated testing first to prioritise where to start.
Like a vulnerability scan, cyber security penetration testing may be done with different levels of information, such as credentials and no credentials. The characteristics of a test are defined by these three terms:
- White hat – Pen testers who know everything about your service and use that information to their advantage (in an ethical way).
- Grey hat – These are pen testers who know some information, e.g., an open port, but they don’t know what’s in it.
- Black hat – These pen testers don’t know anything about your org and have to experiment blindly to find a way in.
A penetration test may also include spear-phishing your staff to see if they will fall for standard phishing email techniques. Or you may focus on your specific infrastructure, such as dedicated AWS penetration testing. But really, you should be able to customise your penetration test to evaluate the most critical areas of your product. That might include areas where identifiable data points are stored or the servers that keep you running.
You should use a (mostly) automated vulnerability scan or similar technique to find and prioritise potential weaknesses and vulnerabilities. Then use a penetration test to apply out-of-the-box thinking when further identifying, chaining together, and exploiting vulnerabilities in the customer’s infrastructure.
The house analogy
If you still aren’t sure, cyber security courses often explain the difference between pen tests and vulnerability scanning with the analogy of a burglar trying to break into a house.
In this story, the ‘burglar’ is the potential hacker. And the ‘house’ is your digital ecosystem or software.
To begin their heist, any smart burglar will do a drive-by and note down all of the potential weaknesses in your house. This might include where the doors and windows are and if there’s a back gate., Or even if there’s an angry dog in the front garden.
The drive-by is the equivalent of a vulnerability scan.
A few nights later, after looking at their notes, the burglar returns. This time they begin to try and open the windows and doors with their hands or a lock pick. They might even find new ways to enter the building or locate connected openings.
The manual searching, breaking, and entering is the equivalent of a penetration test.
With a clearer understanding you should now understand when to do a penetration test or a vulnerability scan:
- Do a vulnerability scan to use automated tests that highlight all potential weaknesses in your system and quickly prioritise areas of weakness
- Then do a penetration test to further identify, chain together, and manually exploit the most critical vulnerabilities, creating a more complete picture
- Finally, re-scan and re-test at regular intervals or after significant updates to keep your system secure
If you would like to work with a cyber security company that teaches you about these complex topics and helps you understand your security, contact the CyberCrowd team today.