The difference between vulnerability scanners and penetration testing

Mar 25, 2021 | Assessments, Blog, vulnerability | 0 comments

Besides regulatory compliance, two cybersecurity services Duffy Compliance has been known for are penetration testing and vulnerability assessments. At first glance, pen testing and vulnerability assessments may appear to mean the same thing. Often this question comes up: “What is the difference between a penetration test and running a commercial vulnerability scanner?”

What do you get with commercial scanners? At their core, they are applications that scan the network for vulnerabilities. They look for devices that respond to queries and determines the applications and services available. Then they associate any known vulnerabilities with those applications and services.

They provide a good starting point to what it takes to make a system more robust against attacks; plus it meets one of the FAR requirements for basic security hygiene.

However, there are still limits to what a scanner can do on its own. They will not catch everything in technical solutions, as in reliability in the backup program or a weak monitoring service. However, they still serve a purpose because they do cover the remote hacker’s point of view pretty well.

Penetration testing is a different assessment altogether. In this type of assessment, the assessor is attempting to penetrate the system. The goal is not to find all the vulnerabilities, but to find any way into the system (often only one is needed). The objective is to see how much of an expert the pen tester is at getting into the system and seeing what could have been compromised if he/she had been an actual attacker.

Therefore, pen testers need to be savvy with more than a scanner and vulnerabilities. They need to have a solid handle on the details of the systems they are attempting to exploit. They must have a solid understanding of CLI commands, PowerShell, and system privileges. They also need to have ample experience on the different operating systems, service weaknesses, and how to select and exploit unpatched applications.

The pen test service tests the expertise of the tester, while a vulnerability scan examines the network for all potential vulnerabilities, whether they are exploitable or not.

In addition, remember that if you are doing this for compliance purposes, the reporting will also be different. Vulnerability scans will attempt to show all vulnerabilities discovered. Pen tests report on attempts to penetrate the system and success rates. It may not show all that was captured or discovered. The tester will also likely only show how to fix the vulnerabilities that were exploitable – not all of them, as in a vulnerability scan report.

Some companies run a penetration test and then fix the weaknesses that were found. At Duffy Compliance, we work with our clients to get them as secure as possible first, and then run our penetration tests… basically, we lock it up and then check how their system responds to attacks.

As I mentioned above, vulnerability assessments are the first part of good, basic hygiene as well as common sense to have on your system, whether compliance is a concern or not. If we can help your organization with vulnerability assessments, penetration tests, or both, please be in touch.