Vulnerability Scan vs. Penetration Test
This article clears up the difference between a vulnerability scan and a penetration test. Learn how they have different uses but also compliment each other.
Vulnerability scanning is inexpensive, covers a broad scope of systems and is mostly automated. Completing one-time scans is a great starting point for a company just starting to mature their security program. Organizations with most mature security programs include vulnerability management in their daily operations.
Vulnerability scanning should be part of a recurring vulnerability management program. This approach typically leverages both internal and external scanning to cover all of an environment's devices and endpoints. The tool aggregates the list of vulnerabilities into a prioritized list. The list can then be used by IT security engineers to manage vulnerabilities and remediation.
Vulnerability scanning tools often include precise recommendations and references, however a strategic and holistic view is also required to be effective. The list of vulnerabilities is grouped into categories such as Critical, High, Medium and Low. This allows the IT security team to prioritize its efforts based on risk. The more severe a vulnerability, typically, the easier it is to exploit with a potential for a more severe consequence.
In contrast, a penetration test requires much more experience and more manual planning, coordination and execution. Pen testers can leverage the list of vulnerabilities found by a scanner as a starting point as well as find vulnerabilities which cannot be picked up by an automated tool. They leverage their intuition and experience to look for gaps and intangibles.
A pen testing engagement can also vary in scope. It can have a goal of safely proving the exploits of a particular system or it could involve a wide scale approach to gain access to any system the pen tester can find. After the scope is set and a plan is clearly communicated, the pen testers begin with the end in mind and focus their efforts.
Both vulnerability scanning and penetration testing are required under many compliance regulations. PCI and HIPAA just two examples and are covered below.
The PCI Data Security Standard (DSS) mandates that internal and external vulnerability scans must performed quarterly and penetration testing must be performed at least annually (PCI DSS requirement 11.2 and 11.3/11.4 respectively).
As of version 3.0, PCI DSS requires a more rigorous, specific and mature pen testing methodology. Below is a related excerpt from the standard:
"Implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective"
Vulnerability scans must be used to maintain HIPAA compliance as part of a healthcare organization's risk management program. A HIPAA risk assessment must include a comprehensive technical assessment of the internal and external networks whether wired, wireless, or cloud-hosted.
Determining the likelihood that a threat will exploit a vulnerability is the basis of a HIPAA risk assessment. The list of technical vulnerabilities provides a basis for the analysis.
The use of penetration testing is encouraged under the HIPAA Security Rule during the Administrative Safeguards' Evaluation phase. According to section 4.8 of NIST Special Publication 800-66 Revision 1 healthcare organizations must "Conduct penetration testing...if reasonable and appropriate." Leveraging penetration makes a lot of sense to evaluate how well your ePHI (Electronic Protected Health Information) is protected from hackers.
Your Best Approach
Equilibrium recommends running automated vulnerability scans weekly. There is often minimal manual effort required other than to keep tabs on the incremental results. Scanning should also be completed at the end of each patch cycle for verification.
Penetration testing should be completed quarterly targeting your systems which host your most sensitive data. A more general or wide scope pen test should be completed annually including additional flavors like wireless pen testing.
Would you like to learn more about Vulnerability Scanning and Penetration Testing? Let's Talk.
Author: Todd Bey
Equilibrium IT Solutions, Inc.