Vulnerability Scanning vs. Penetration Testing
Penetration tests and vulnerability scans are confused for each other.
Vulnerability assessments and scans search systems and profiles for what you would expect: vulnerabilities. Where-as penetration testing tests for threats actively attempting to weaken an environment. A critical difference between the two is that vulnerability scanning can be automated, where a penetration test requires various levels of expertise.
All networks, regardless of scale, are potentially at risk to threats. Thoroughly monitoring and testing a network for security problems allows you to eliminate threats and lower overall risk. Believing your network is safe based on assumptions rather than data-driven testing will always provide a false sense of security and could lead to disastrous results.
What is Vulnerability Scanning?
Vulnerability scanning is a term for software designed to assess other software, network operations, or applications. This software will scan for potential weaknesses in code or structure. In the same fashion that a manufacturing engineer monitors his/her product for structural integrity, vulnerability testing does the same, searching for weak points or poor construction. The scans identify areas where a system may be open to attack.
There are two types of scans:
authenticated : scans allow for direct network access using remote protocols such as secure shell (SSH) or remote desktop protocol (RDP).
unauthenticated : scan can examine only publicly visible information and are unable to provide detailed information about assets.
This type of scan is typically used by security analysts attempting to determine the security posture of a network.
Modern scanning software is often available as Software-as-a-Service (SaaS) by specific providers that build web-based interface applications. These applications have the capabilities to scan installed software, open ports, validate certificates, and much more.
Scanners rely on published and regularly updated lists of known vulnerabilities, which are available for widely used software. Vulnerabilities don’t make it onto the list until there is a notable fix (which can pose difficulties for zero-day style attacks). When the software detects an anomaly, a patch is delivered. The software is designed to detect issues by querying the software for version information and observing the responses the software provides to specific requests.
Vulnerabilities are classified by priority. Critical vulnerabilities indicate a high likelihood that an attacker could exploit weaknesses and enact damage. Lower-priority threats may help intruders to gather information but don’t directly allow breaches.
The Center for Internet Security (CIS) considers continuous vulnerability scanning as a critical requirement for effective cyber defense.
What is Penetration Testing?
In contrast to vulnerability scanning, penetration testing (also known as a “pen test”), is an authorized attack, simulated on a computer system, designed to evaluate the security of the system. Tests are run to identify weaknesses (vulnerabilities), such as abilities to gain access to a system’s features or data. It also compiles a risk assessment of the entire system.
A penetration test can aid in determining whether a system is vulnerable to an attack, if the current defense systems are sufficient, and if not, which defenses were defeated.
Penetration tests can target either known vulnerabilities in applications or common patterns that occur across many applications. It can find not only software defects but weaknesses in an application and network configuration.
There are typically five stages of penetration testing:
Reconnaissance – Gathering information on the system to be targeted.
Scanning – Penetration testing tools used to further the attacker’s knowledge of the system.
Gaining Access – Using previously collected data, the attacker can target an exploit in the system.
Maintaining Access – Taking steps to remain within the target environment to collect as much data as possible.
Covering Tracks – The attacker must wipe all trace of the attack from the system including any type of data collected, or events logged, to remain anonymous.
“Fuzzed” packets are a popular technique. These are legitimate requests to applications with one or a few characters randomly changed. They exercise the system’s ability to handle erroneous input cleanly.
As with vulnerability scans, the tests can either be authenticated or unauthenticated. An authenticated test runs as a registered and logged-in user on the internal network, whereas unauthenticated would be from an external source with no network privileges.
In some cases, testing goes beyond sending and receiving data and examines an organization’s business processes. If it’s in their assigned scope, testers may send phishing messages to test users’ ability to catch fraudulent requests. They may even try to sneak into the facilities to test physical security.
Security experts classify pen tests as “white box” or “black box.”
A white box test makes use of as much information as possible about the target system. This includes the software it runs, the network architecture, and sometimes even source code.
A black box test uses only publicly available information.
A white box test should, in principle, find more problems, since it has more information to go on. However, it’s easy for a penetration tester to become dependent on what they know about the system and not use their imagination as much. Black box testers start from the same position as an outside intruder and have to find weaknesses without help. They may devise approaches that white box testers don’t think of. Both methods have their pros and cons.
Pen tests are not a singular security solution, but a component of a full security audit. For example, to remain PCI-Compliant, the Payment Card Industry Data Security Standard requires regularly scheduled security penetration testing, and especially after system changes.
Understanding Security Testing Reports
The deliverable for both types of testing is a detailed report on any problems found. Vulnerability reports are long but straightforward. For each issue, the report lists a source, a severity rating, a description, and a remedial action. The typical remedy is to install a patch. If the software has weaknesses and its publisher no longer maintains it, replacing it with something more secure can be necessary. The InfoSec staff need to perform detailed triage on the list, eliminating or deferring action where the vulnerability poses little or no risk.
The report from a penetration test will list fewer items, but they aren’t as straightforward to explain and remedy. It will describe the attack technique, which is often ambiguous. It will explain the potential effects. The remedy could be a simple one, such as restricting access. In other cases, coming up with a fix may require serious analysis. A strong report will put the results into context and provide detailed recommendations for remediation.
Difference between penetration testing and vulnerability scanning process
Running a penetration test is considered to be more challenging or at least involved than a vulnerability scan.
A penetration test attempts to break into a security system. If the system has adequate defenses, this will trigger alarms. Though administrators need to know the difference between a test and a real threat, they can’t let their guard down against credible attacks that could be happening at the same time.
Ideally, a penetration test should be run once a year, whereas vulnerability testing should be run continuously.
A penetration test requires more creativity than a vulnerability scan since it is looking for ways to exploit the ordinary course of business. For example, a CEO could transmit his or her password to their webmail, using the same password as an internal LDAP. To come up with fresh strategies in testing, you’ll want to work with people who are creative but also technically capable of executing the attack.
Vulnerability scanning is an essential process of maintaining information and network security. Every newly added piece of equipment or software that is deployed should have a vulnerability scan run against it and within a month after that. It’s essential to establish a baseline of essential equipment that’s updated and maintained regularly. Any open ports or changes found after a scan should be investigated and considered severe.
Vulnerability Scanning & Penetration Tests Are Essential
To ensure a detailed and well-protected level of security for a network, there must be detailed steps taken to conduct both vulnerability scans and penetration tests. Probing for vulnerabilities finds unpatched and poorly maintained software. It prompts IT staff to upgrade software that has encountered issues or potential weaknesses. If that’s not possible, the team needs to find a workaround or replace the software.
Scanning won’t find all the problems. The surest way to decide whether a system is secure is to try to break it. That will find not just software defects but insecure connections, configuration weaknesses, and exposed data.
Together, vulnerability scanning and penetration testing are powerful network security tools used to monitor and improve information security programs.