Vulnerability scans vs Penetration tests

Written by Joseph Poppy on 16/11/2018

The vulnerability scan and penetration test dilemma

You’ll often find that ‘vulnerability scan’ and ‘penetration test’ are wrongly used interchangeably, creating confusion about which is the right security choice for businesses.

Broadly speaking, a vulnerability scan could be thought of as a surface-level security assessment, whereas a penetration test delves that much deeper. In fact, penetration testers often make use of a vulnerability scan as part of their process. This means that organisations who choose not to get a penetration test (pen test) on the basis that they have recently conducted a vulnerability scan, could be putting themselves at risk.

Whilst both vulnerability scans & penetration tests are used to assess a network or application’s level of security, they are substantially different processes with different benefits to consider.

What is a vulnerability assessment?

All operating systems, software packages and the like will have flaws in their design. Over time, these flaws become known. Bug bounty hunters, security firms and developers often find them when conducting research or white-hat hacking. Other times, they are found and exploited by malicious hackers. Either way, once known, these bugs and exploits are usually listed and shared publicly and assigned a Common Vulnerabilities and Exposures (CVE) number. Companies will actively try to patch these flaws in their current product line-up in order to make systems more secure. However, people and organisations must actively install these patches themselves for the vulnerability to be mitigated.

A vulnerability scan makes use of an automated tool to scan your systems and networks for publicly known vulnerabilities. This will provide you with a list of detected security flaws, allowing you to take remediation steps and install the latest versions and patches. The process will tend to follow this simple path:

Vulnerability scans vs Penetration tests

View full size (103 KB)

Realistically, for the assessment to be of any value, it should be applied to any device with an IP address. Things to be tested should include, desktops, laptops (for office and remote workers), printers, routers, switches, hubs, servers, wired and wireless networks and firewalls. If this seems excessive, remember that it only takes one compromised device for a hacker to get into your network and start stealing data or installing malware. Following this, once all recommended patches have been installed and applied, your systems should be up to date and more secure.

New vulnerabilities are always coming to light. Because of this, a vulnerability scan should be conducted at regular intervals. How often this should be would really depend on the size of the company. For some, it’s recommended that a vulnerability scan is conducted on a monthly basis. As a minimum, a vulnerability scan should be run on each new device before it’s deployed and connected to your business systems.

Limits of a vulnerability scan

Whilst there is no question that regular vulnerability assessments are beneficial to a company or organisation, these are non-invasive tests. As such, they do not provide an overall picture of your security posture, but rather show whether you are vulnerable to threats known (and publicly available) at the time of the test. They do not often take a great deal of time to run and are great if a business is pushed for resources.

First of all, you need to ensure that the vulnerability scanning software you choose to run is up-to-date with the latest information. An outdated vulnerability scanner will provide very little benefit. More importantly, certain methods used by hackers won’t show up as a ‘known vulnerability’ inherent in software coding, or due to obvious misconfigurations. Cross Site Scripting (XSS) vulnerabilities, for example, won’t always show up on a vulnerability scan, even if they are present. Scanning tools may determine that the area scanned has adequate protection, but hackers actively work to subvert protection.

They’ll also provide you with little insight as to what harm a hacker could do from an authenticated perspective. That is, a hacker who has managed to compromise user credentials or is using a service for which they have a valid account. Whilst certain scans can be run as an authenticated user (and subsequently find more faults), they won’t be able to test for say, privilege escalation attacks (which can take a number of creative routes) or attempt password spraying.

Also, a vulnerability scan lacks the ability to spot logic issues. A hacker might be able to intercept traffic and change data in transit for example. A vulnerability scanner might not deem information disclosure as an issue. Furthermore, this type of assessment may not see images stored on the network without protection or encryption as being anything to be concerned about. However, if these images happen to be of peoples’ ID or credit cards, then that is a serious problem.

Perhaps one of the most obvious limitations of a vulnerability scan is that they can’t test for the biggest weaknesses in any network: the people using the machines. Penetration tests can include an element of social engineering or be upgraded to a red team test to provide a company with a clear review of every aspect of their security.

So, whilst a vulnerability scan is efficient and allows you to keep on top of your patching, there are a number of issues that can only be picked up on by a hacker or penetration tester deliberately trying to circumvent security.

By testing for known vulnerabilities, you can quickly outline which systems and applications are susceptible to exploitation.

Penetration testing explained

Put simply, a penetration test is where a security professional takes on the role of a hacker and attempts to exploit your systems in the same way a malicious party would. They will then provide a report based on their findings detailing how they managed to compromise your network and systems (should they manage to do so) and how you can go about preventing others from doing the same.

During the course of a penetration test, the tester will make use of automated tools, manual processes and their expert knowledge to probe and invade your network. This may even start with a simple vulnerability scan. All of this will help them delve deeper into your organisation’s set up and discover potentially unknown and exploitable weaknesses in your configuration. It is often the case that 0-day vulnerabilities are found as a result of a penetration test. These are inherent vulnerabilities that, up until that point, were unknown.

These tests can be conducted on external or internal infrastructures as well as directly on mobile and web-based applications. Once the scope has been set, pen testers look out for the transmission of unencrypted passwords, attempt brute-force attacks or even make use of social engineering. They will try every technique available to them, in order to provide a detailed analysis of your security posture.

Whilst vulnerability scans can be conducted by in-house IT technicians with the right tools and knowledge, it’s always best that a penetration test is carried out by an external team of cyber-security experts. External penetration testers are going to be dedicated professionals that are able to lend their skills and expertise to provide a thorough and objective security review. Penetration testing (sometimes referred to as white-hat hacking) requires a great deal of skill and specialised knowledge.

Where a vulnerability assessment report is likely to consist of just the vulnerabilities found, a penetration test will concisely explain what data or systems were compromised, how it was done, and how to best proceed with remediating them.

Like vulnerability scans, penetration tests are limited to providing a security snapshot of the point in time which they are conducted. Because of this, it is recommended that businesses book regular penetration tests.

How vulnerable are you to social engineering?

We have mentioned social engineering a few times, but what does this mean? Social engineering is where a hacker (or a penetration tester in our case) will attempt to leverage the human aspect of a business in order to compromise a system. In some cases, this can involve face-to-face contact in a bid to gain access to a building, datacentre or machine.

The most common method of social engineering is phishing. This method is almost as old as email itself. It involves sending an email or communication to a user in the hope that they will respond (giving useful information), click a malicious link or open an attachment infected with malware.

A well-crafted phishing campaign is usually aimed at obtaining credentials. A common example is a user receiving an email stating that their password is due to expire and they must click a link to reset it. The link will then direct them to a page that looks similar to their email provider, only it’s been designed by the hacker. By inserting their credentials to try and change them, the user unwittingly provides a malicious agent with the means to compromise their network.

Other methods of social engineering could involve phone calls from people claiming to be someone they are not (such as IT support), targeting a user within a certain department with the aim of getting remote control over a computer or tricking users into installing malware

Compliance and cyber security

One driving force causing companies to book regular vulnerability scans and penetration tests is compliance. With companies showing they are taking cyber security seriously via initiatives such as Cyber Essentials, vulnerability scans are being incorporated into their general IT strategy. Also, the Payment Card Industry Data Security Standard (PCI DSS) requires businesses to undergo quarterly vulnerability scans (or whenever significant changes are made to the environment), and annual penetration tests in order to remain compliant. And of course, there’s everyone’s favourite: GDPR. GDPR requires businesses to maintain best practices where security is concerned in order to protect the personal data of EU citizens. The best way to ensure standards are being kept to is via a penetration test.

If a penetration tester can get into your systems, a hacker can too.

General Data Protection Regulation (GDPR) is EU legislation that defines what can and can’t be done with the personal data of EU citizens

Vulnerability assessment Vs penetration testing

The two services, whilst very different, are equally as important where cyber security is concerned. Regular vulnerability tests can be run quickly against new builds or networks on a regular (monthly) basis to allow you to patch any vulnerabilities that come to light. Leaving a single vulnerability unchecked on a single device could theoretically compromise your entire infrastructure. Whereas an annual penetration test can offer you a detailed report of your entire security posture, including your susceptibility to social engineering.

Comparing Vulnerability assessments and Penetration tests
	Vulnerability Assessment	Penetration Test
Frequency	Recommended once a month.	Recommended every six months.
Reports	Often lengthy report listing the CVEs of the vulnerabilities found across all devices and systems.	Concise but detailed report of methods used, flaws found and exploited, and remediation steps to be taken.
Scope	This should be anything with an IP address. Anything that connects to the business network should be in scope.	To be agreed upon with your pen test provider. Can focus on internal and external infrastructure, user accounts, default admin accounts (servers), staff (social engineering), switches etc.
Performed by / Tools Involved	Internal IT departments or outsourced companies. Automated Vulnerability scan tools.	Specialised cyber security companies offering pen tests from experienced testers. Makes use of automated tools, expert knowledge, and a variety of manual processes.
Value	Identifies known vulnerabilities and detects equipment that can be compromised.	Identifies and reports any weaknesses found across the business, helping to reduce the likelihood of these being exploited by real-world hackers.

Just because you have had a vulnerability scan, it doesn’t mean you don’t need a penetration test. Likewise, if you’ve recently had a penetration test, it doesn’t mean you won’t benefit from a vulnerability assessment in the near future.

Know your vulnerability scans from your penetration tests

So, now we know: both penetration tests and vulnerability scans are vital in maintaining cyber security. Both can pin point vulnerabilities in your network and help you patch these up. Vulnerability scans offer a surface-level approach that can flag known weaknesses and can be conducted more often. Whereas a penetration test can scrutinise and assess all aspects of your network and is able to find a lot more than a vulnerability scan might. Penetration tests take a more creative approach and involve users actively trying to circumvent security.

To keep your business as secure as it can be, be sure to regularly run up-to-date vulnerability scans across your network, particularly if you have just made a significant change or added another element. Be sure to book annual penetration tests, preferably from a trustworthy third party who’s likely to take an objective view.

Let us help

If arranging vulnerability scans and scoping a penetration test seems a bit overwhelming to you, then let Bulletproof help by taking care of it all. Our vulnerability scanners are up to date with the latest known information on vulnerabilities and our penetration testers are CREST and Tigerscheme accredited and they enjoy what they do. Get in touch and see how we can help keep you secure.

Learn more

Share this blog post

CREST approved
ISO 27001 and 9001 certified
Tigerscheme qualified testers
PCI DSS v3.2 Level 1
service provider
24/7 on-site Security
Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.