Companies are frequently approached with offers to run cybersecurity checks such as penetration (abbreviated as pen) tests and/or vulnerability scans to identify possible threats, but what are the differences between the two— and how can each benefit your business?
This article will take a high-level look at penetration testing vs vulnerability scanning to help you decide what you actually need.
What are these tests and scans anyway?
Before you can pick a cybersecurity test that benefits your company, you must first understand how they can protect you.
First, let’s tackle the vulnerability scan (or vuln scan for short). These scans help to identify flaws in your applications and operating systems. They are often automated and may be run from outside your company’s network (external) or within the network (internal).
In our previous post, we discussed how cyber attackers prowl the internet virtually peeking into your network’s “windows”. Think of a vulnerability scan as your neighborhood watch, peering into your windows to ensure all is safe. A vuln scan will identify versions of software being used and compare your systems against a database of known vulnerabilities. To be clear, they do not predict or test for how a cyber attack will occur. Vuln scans only test known vulnerabilities from a database, which is why performing such a test on a recurring basis is ideal to maintain office-wide security.
How do these vulnerabilities pop up in the first place? When a software is created, it goes through constant testing— by researchers, bad actors, general users, etc.— to find weaknesses. These are usually disclosed to the developer and a fix or update is created. You interact with these every day in your app store. If a system is updated (or patched) regularly, then the vulnerability should not be a real threat.
However if a device is left unpatched, it becomes at risk to Exploits, which are the tools and techniques created to take advantage of a vulnerability. When the WannaCry attack hit in 2017, Microsoft had released a patch that would prevent it months previous. Many computers were unpatched against WannaCry and worse and used a version of Windows that was not supported (note: Microsoft later released a patch for XP and other retired operating systems due to their prevalence in the UK Health System and other places).
Penetration tests are more comprehensive in that they not only can test your infrastructure from inside or outside, like vulnerabilities scans, but they also test the human element and other non-computer related systems.
Business processes and controls, poor security settings and training shortfalls can all be evaluated during Penetration Testing. Penetration tests can simulate all techniques bad actors, or attackers may attempt— legally and with permission, of course. Tests may have different levels of testing to either simulate a completely unknown adversary or an insider threat, such as a disgruntled employee.
Tests won’t necessarily include all of the different types of penetration tests, as the testing performed is dependant on the agreed upon scope. Here are some of the different Penetration Testing types:
- Physical Testing - Can include attempting to access sensitive parts of a building through use of tools (lockpicks, cloned card etc.) or simple Social Engineering to slip past a lobby.
- Phishing and Vishing - E-mail or phone calls to elicit information or gain access to computer systems. This can be part of Social Engineering.
- Network Testing AKA “getting past the firewall” - Attempting to access the computers directly using both known and even newly created exploits.
- Website Testing - Used to check if a website is vulnerable to Denial of Service (DoS) attacks or defacement.
- Wireless Tests - Check if your company’s wireless is secure from intruders, or test the ability to impersonate a legitimate access point on the network.
Which Cybersecurity Test Is Right for Me?
Both vulnerability scans and penetration tests have their purposes.
Vulnerability scans are excellent tools to verify applications are all up to date and to help ensure you are aware of what risks are present. Vulnerability scan results can also provide information about your infrastructure including the type or risk, the severity, and how to remedy it. Vulnerabilities are tracked and commonly shared among common vulnerability databases, enabling security analysts to determine if a public exploit may exist or not. Vulnerability scans may be required for many compliance verticals such as HIPAA, PCI-DSS and Sarbanes Oxley among others.
So, is a penetration test better than a vulnerability scan? It depends on what goals and objectives you intend to accomplish. Different compliance verticals may require a pen test, like PCI-DSS. Performing and “passing” such tests does not guarantee security, but can help provide peace of mind that you are on the right track and provide validated insight into the security risks of your organization.
Pen tests are more geared for end users and business process. If this is a concern for you, you should explore your testing options.
Now Is the Perfect Time to Defend Against a Cyber Attack
Vulnerability scans and penetration testing are a great way to understand how threats have reached you in the past, so you can fortify yourself for the future, but you don’t have to wait for a cyber attack before making sure you are protected. A good time to verify your cybersecurity and find weaknesses in your systems is when you’re changing or adding new systems.
Engaging with an independent, third party company to perform the testing and review the results can make a lot of sense. Technology providers are constantly learning about what it takes to be secure and find vulnerabilities. Access Systems has the technical staffing and knowledge to conduct either vulnerability scans and penetration tests. Your cybersecurity is our top priority.