Vulnerability scanning and penetration testing are two of the most in-demand services that cybersecurity companies offer. Both play an important role in identifying potential risks and both are required to meet some standards including ISO 27001 and PCI.
However there is often confusion between the two. So what is the difference – and do you really need them both? In short, vulnerability scanning is an automated process that will check for common vulnerabilities, while penetration testing or ‘pentesting’ uses a skilled professional who will actively seek out and exploit any weaknesses, just as a hacker might do.
Let’s look at the key differences in more detail:
1. The human factor
Vulnerability scanning uses automated tools to scan networks and identify vulnerabilities that attackers can exploit. By contrast, pentesting requires an experienced cybersecurity professional. Although automated tools may be used in the course of the work, essentially it is a manual process. A skilled human operator can detect vulnerabilities that are often overlooked by an automated tool and he or she will also try to exploit any potential security flaws to show the company what might happen in a real cyber attack.
2. Scope of work
A vulnerability scan will identify all the systems connected to a network – such as laptops and mobile devices, servers, printers and firewalls – as well as the operating system and software on them. It will look for known vulnerabilities associated with these systems, as well as open ports and user accounts which may provide a ‘gateway’ to the system. It may even try to log in but that is as far as it goes.
A pen tester will actively try to exploit vulnerabilities. This demonstrates to the company how an attacker could infiltrate their system and reveals how well their defences would hold up.
3. Level of reporting
A vulnerability scan will provide a list of systems and devices, and any potential vulnerabilities discovered. But it will only reveal vulnerabilities that are well known, for example weaknesses associated with certain databases, and it can throw up false positives. It won’t reveal what would happen if anyone tried to hack into your system via this route or, indeed, if they already have.
A penetration test would attempt to answer these questions. It would also be able to find less well known or less obvious security flaws – including those that might have gone unnoticed had someone not deliberately set out to find them.
Perhaps more importantly, while an automated report can only ever present a generic view, a skilled pen tester will be able to validate and interpret the results, explain what it means for the business in real terms and advise on what to do about it.
4. Speed and cost
Because it uses automated tools, vulnerability scanning is easier to carry out and offers faster results. Penetration testing takes more time and, because it relies on skilled professionals, is naturally more costly.
So which is best? The answer is a combination of both. As vulnerability scans are less costly, they can be run more regularly and on a larger scale. They are a quick way to cover company-wide assets and identify the more obvious weaknesses. Penetration testing can be used to assess and build on these results. An experienced cybersecurity professional will be able to give you a clearer picture of your position and provide pragmatic advice on the best strategy to safeguard your business.
Read our white paper on The Importance of Penetration Testing and Vulnerability Scanning.