A common misconception held by many is that an automated vulnerability scan is equivalent to a penetration test. While both are useful tools and essential parts of an organization’s risk management program, they are not interchangeable and there are clear distinctions between the two.

Vulnerability scans work by rapidly interrogating network ports and services in order to determine types and versions of those services and any obvious configuration issues. This is accomplished by comparing information or responses to databases of known vulnerabilities. Vulnerability scanners are very efficient in this regard and can list discovered vulnerabilities in a report that prioritizes the findings by relative severity. In most cases, severity is determined by reference to government or industry databases such as the National Vulnerability Database or the Common Vulnerabilities and Exposures database.

However, a vulnerability scan is limited in that it does not attempt to exploit vulnerabilities to determine if network access can be gained. In addition, vulnerability scanning does not always readily identify or exploit poor security practices or detect “false positives” that are not exploitable in practice.

On the other hand, penetration testing simulates what an attacker is able to do by exploiting flaws and configuration problems, as well as weak security practices or controls. Penetration testing is by nature more accurate than vulnerability scanning since it actually confirms that a suspected weakness is exploitable. For example, a penetration tester may look for poor security practices like the use of shared passwords, weak passwords, or the reuse of passwords that would not be found by an automated scan and then try to exploit any identified weaknesses.

One key discriminator between the two testing methods described above is exploitation. The following analogy might help further explain how they differ. Suppose an organization decides to evaluate physical security within a specific area of its facilities. A security expert is brought in and presented with a building that has three doors. The expert knows nothing about the building other than what can be seen. As part of the assessment, she inspects the three doors and based on the locks in place, determines that two of the three are vulnerable to simple lock picking techniques. A third door has an electronic access control system and a video surveillance camera. Based on the initial inspection, it appears that two of the three doors have significant vulnerabilities. Up to this point, the security expert has only conducted the equivalent of a vulnerability scan.

The security expert still doesn’t know what is on the other side of the doors, if the video surveillance is monitored, or if any of the doors are equipped with a monitored alarm. To learn this, she must perform the equivalent of a penetration test. 

As part of the next phase of testing, the security expert picks one of the key-locked doors and discovers it is a storage unit with no further access to the building. What was originally deemed a high severity vulnerability was found in this case to have a limited impact on security. The other key-locked door is also opened, and it leads into a foyer with no immediate access to the rest of the building. However, during the test, the client representative receives notification that a silent alarm was triggered. So while this vulnerability did not provide immediate access to the building, it did allow the security expert to test the effectiveness of the alarm monitoring system. 

Finally, the security expert targets the electronic access door. While this door has no known vulnerabilities, she looks for procedural weaknesses to bypass the entry controls. She observes an employee entering and determines that the door takes a few seconds to close completely. She exploits this by loitering near the door and discretely piggy-backing behind the next employee to enter the building. Once inside, she discovers that she has immediate access to the nearby data center because the inside entry door is propped open. Her entry was not detected, which seemed to indicate that the video surveillance was not actively monitored.

The “vulnerability scanning” (visual inspection of the three doors), though manual, in this case, was a necessary step to help identify potential vulnerabilities. However, the “penetration testing” phase (getting past each door to see what was on the other side) showed the actual exploitability and real impact of each identified vulnerability as well as an additional unidentified vulnerability. The “penetration testing” also provided a means to determine the effectiveness of employed security controls (door locks and cameras) in the case of an actual attack. It is important to note that once the tester found and exploited one weakness, other weaknesses were discovered. The same thing can and does happen during actual penetration tests.  

Choosing the Right Approach

You may be wondering “what is the best testing approach for my organization?” The answer, of course, depends on your organization’s risk appetite, regulatory pressures, and the type of information processed. Many industries are government regulated and required to comply with specific security standards, while others are not.  Regardless, it’s safe to say that all organizations can benefit from security testing, and vulnerability scanning is a good place to start. 

Today’s threat landscape is very dynamic, with new threats and attack types discovered daily. For this reason, vulnerability scans should be performed often, such as quarterly, monthly, or even more frequently for dynamic networks. Adding penetration testing to your risk management program will provide greater assurance that you can identify and fix problems before they result in a data breach. Penetration testing requires a greater investment of time and resources, so it’s more common and recommended that this type of testing be performed annually.