Vulnerability Assessment And Penetration Testing: What’s The Difference?
Vulnerability scanning, vulnerability assessment, and penetration testing are all terms that are often used within the cyber security industry.
There can often be significant variation between third-party providers, with differences in the exact service that is provided, including the extent a security professional is involved in an assessment.
The following information can be used to guide what each term typically means and the type of service that can be expected when arranging a penetration test or a vulnerability assessment.
However, as the service provided by each cyber security vendor can vary, it is always recommended to use the details provided to ask questions about what is included when purchasing a scan, assessment, or penetration test.
What Are Scans, Assessments And Tests
Vulnerability Scanning
Vulnerability scanning uses automated tools to assess your assets for potential weaknesses and security vulnerabilities. This could be your web application, laptops, and servers as well as other digital assets.
The vulnerability scanning tools will generate a list of risks, which can be exported into a report.
Your business can choose to invest in its own licenses for vulnerability scanning tools or can use third-party vendors to run the vulnerability scans for you.
It is good practice, to run vulnerability scans regularly, as new security vulnerabilities are often identified, and frequent scanning can help your business remain secure against emerging threats.
As it can be useful to conduct frequent vulnerability scanning, investing in your own licenses can often be a cost-effective approach.
If looking to start your own vulnerability scanning for a small number of devices, a walkthrough of implementing Tenable Nessus is provided here.
Vulnerability Assessment
A vulnerability assessment is primarily conducted by a third party using the same automated vulnerability scanning tools, however, a vulnerability assessment will often involve input from security professionals.
Depending upon the specific supplier and advertised service, the level of input can vary significantly but some features of a vulnerability assessment can include:
- Verification Of Identified Vulnerabilities To Remove Potential False Positives
- Vulnerability Categorization And Prioritization Of Security Issues
- Customized Reporting To Provide Context And Detailed Remediation
As a vulnerability assessment is conducted by a third party, it can save on some upfront costs for your own scanning license, but will likely be carried out less frequently than your scans could be.
Penetration Testing
A penetration test will often still use vulnerability scanning tools to conduct the same basic checks that would be achieved from vulnerability scanning or vulnerability assessments. However, penetration testing aims to conduct further vulnerability testing, beyond what a vulnerability scanner can on its own.
Penetration testing will test for further vulnerabilities, but will also conduct exploitation methods against identified risks.
This exploitation process helps to verify that exploitation is possible, provides further context for your business’s state of security, and highlights the access or information an attacker may be able to obtain if the vulnerability were exploited.
Depending upon the testing process and what has been arranged with a third party, penetration testing can also include a level of online information gathering to more accurately target exploitation methods against your assets. This can be through an Open Source Information (OSINT) gathering process.
Penetration testing reports will often provide further details and supporting evidence to demonstrate the steps an attacker may take to exploit each vulnerability, and how different vulnerabilities can work together to grant an attacker further access to information, devices, or accounts.
Executive/Management summaries and Technical summaries are also commonly featured within penetration testing reports to provide a high-level overview of your business’s security posture.
What Types Of Vulnerabilities Are Identified
Vulnerability Scanning
Missing patches and outdated software or systems
Vulnerability scanners are very useful tools to automatically find and identify the version information of each of your assets.
This could be the operating systems in use, versions of software, or web technologies.
These versions are then compared against a database of known threats to highlight any issues that impact the specific version currently in use and recommend updating to the latest available version.
Known vulnerabilities with expected responses
Many types of vulnerabilities can be found by issuing a request and monitoring the response. If the responses contain expected information, errors, or even take a certain amount of time to be provided, it can indicate if issues are present.
Scanning tools are useful to automatically run through a large number of requests to find the responses that align with known risks.
Common Security Misconfigurations
Similar to looking for known vulnerabilities, many responses can contain information that indicates how a specific system is configured.
Where the configuration information falls outside of recommended best practices, this can be highlighted by scanning tools as a change to improve your security.
Vulnerability Assessment
As a vulnerability assessment largely makes use of vulnerability scanning tools, the types of issues that can be found do not vary, however, an assessment can remove some of the common issues found with using vulnerability scanning tools.
False Positives Within Vulnerability Scanners
False positives can be a common issue with scanning tools. As scanners are looking for expected responses to determine likely vulnerabilities, where responses fall outside of what is expected, automated tools can incorrectly highlight issues.
This may be due to various reasons, such as the scanning tool having a vague definition of what constitutes a vulnerable response, or external factors influencing a systems response.
Repetitive And Duplicate Results
Another benefit a vulnerability assessment can provide is when the third-party vendor takes the time to consolidate your vulnerability scanner results.
With many vulnerability scanning tools, a common issue can be the duplication of reported threats.
This may occur for several reasons, for example with Web Applications the same issue affecting a URL may be reported but with variations in parameter values, or the same issue may be reported that impacts a parameter, and is reported for multiple URLs.
In each example, there is one issue that affects a URL or Parameter, but a vulnerability scanner may produce dozens of results, increasing the number of issues reported, and the size of generated reports, or increasing the number of tickets to resolve if incorporating solutions such as Jira.
Penetration Testing
Vulnerabilities carried out in multiple stages
For some vulnerabilities, the exploitation process may span across several requests and stages which vulnerability scanning tools can often struggle to identify.
For example, when assessing a web application a vulnerability such as Cross Site Scripting (XSS), may involve the submission of XSS in one location, such as a multi-stage web form, which is then triggered at the final review stage of the form.
As this type of exploitation does not involve a standard request and response, scanning tools can overlook such issues.
Vulnerabilities that can involve contextual analysis of responses
When reviewing the security of different systems there can be a range of issues that do not present as an error or a predefined response type, but can still present risks to your business’s systems.
For example, Insecure Direct Object References (IDOR) are a type of vulnerability that can occur in websites. These issues can occur when users are able to access private and sensitive data or functionality that was not intended for their user account.
To identify this type of vulnerability, there isn’t a set type of response to automatically assess, instead, it requires a contextual review of the information you should see compared to the information you can see.
Automated scanning tools, can typically not apply this type of logical analysis and will often not find vulnerabilities such as IDOR.
Variations in commonly identified vulnerabilities
Common and known issues can also be found with slight variations in how they are identified or how they respond. For example, SQL Injection (SQLi) is a common vulnerability found in web applications.
Depending on how the web application is interacted with by each user, and how the web application interacts with a database, it may be necessary to submit a range of small variations in requests or detect a range of small variations in responses to accurately identify threats.
These nuanced requests and responses may not be identified by an automated scanning tool but can be found through a manual testing process.
Choosing The Right Security Solution For Your Business
A scan, vulnerability assessment, and penetration testing each have their own advantages and disadvantages.
While each security solution has its place in the security assessment process, depending on your company budget, cybersecurity knowledge, and other factors, some solutions may be more or less useful for your business.
If looking to secure your business, several free resources are available for small businesses, listed in the following post detailing cyber security solutions.
Vulnerability Scanning
Vulnerability scanning is useful for frequent or continuous scanning of your assets. If your company is comfortable with managing your own systems and the setup process for the vulnerability scanner, maintaining your own scanning solution can be useful and cost-effective to help improve your security.
Vulnerability scanners typically provide detailed information and remediation guidance for identified issues, and if your company is currently managing its own IT systems and can also manage a scanning tool, this solution may be a good fit for your company.
Scanning tools can focus on specific types of devices and operating systems but there are also more complete security suites that offer coverage of a broad range of different asset types.
However, the pricing inevitably increases with more complete security suites, or when looking into multiple individual scanning licenses to cover your entire organization.
Vulnerability Assessment
Vulnerability assessments may be conducted a little more infrequently than managing your own vulnerability scanning, but this depends on the arrangements made with your cyber security provider.
Where your company is using third parties for IT management and doesn’t maintain your own systems, looking into a third-party solution to conduct less frequent vulnerability assessments of your systems may be a more suitable solution.
This may be similar to the costs of an annual scanning license but has the downside of potential weaknesses being left in your IT systems for longer between assessments.
Vulnerability assessments, similar to scanning tools can also offer a broad coverage of your different device types or environments.
As your vulnerability assessment will typically be managed by a third party, it can remove the requirement to purchase multiple individual scanning licenses or the investment in a complete security suite, while still receiving relatively broad coverage of your assets.
However, as more devices and varied environments are added to your vulnerability assessment requirements, the cost is likely to increase, and a balance between frequency of testing, coverage of devices, and cost will need to be made.
Penetration Testing
Penetration tests are the most expensive of the cybersecurity solutions, due to the heavy involvement of security professionals actively working on the testing process.
This type of security testing is useful for every company, as it can go beyond automated vulnerability scanning tools to find additional security vulnerabilities in your systems.
Security testing teams can also provide information and guidance directly to your company or a third-party IT management company when working to resolve each of the identified security risks found.
Budgetary constraints are a common issue when arranging a penetration test of your systems. Particularly for smaller businesses a dedicated and regular penetration test of each of your IT Systems may not be viable.
Penetration testing can typically be applied to most types of devices, systems, and environments. With certain types of testing, all assets within a company can be considered as part of the assessment and used to identify potential weaknesses and methods of exploit for the organization’s network.
However, as the scale of any penetration test increases, the time taken for the manual testing process will also increase, resulting in escalating costs.
For penetration testing, when working within strict budgets, it can often be useful to consider annual testing, but with varied systems to assess each year, to gradually review the security of your organization as a whole.
How Scans, Assessments, And Penetration Tests Can Work Together
Ideally, where cost is not a consideration a company could take an approach to security testing which includes a combination of scans, a vulnerability assessment, and penetration testing.
Vulnerability scanning should be the most frequent, or continuous process to identify flaws in your security. This can be applied to your most likely targets, or points of exploit, such as your user workstations, web applications, or other systems you have that are internet accessible and most likely to suffer from security threats.
A vulnerability assessment can be considered a little more infrequently such as quarterly or every six months, and can cover a large number of your assets which may not be a direct target for exploitation but are still critical for your business operations and hold important and sensitive information. Your company’s internal network or servers may be covered through this method.
Vulnerability scans of these systems can often generate long lists of issues, so it can be beneficial for a vulnerability assessment to consolidate issues, apply business context, and remove false positives.
Penetration testing can be reviewed on an annual basis, and cover each of your assets, rotating between different systems to gradually provide an in-depth assessment of the security of your entire organization and how exploitation may lead to further impacts on connected systems.
Pros And Cons Of A Vulnerability Scan, Vulnerability Assessment and Penetration Testing
PROS
CONS
PROS
CONS
PROS
CONS
Vulnerability Testing And Vulnerability Management
Each type of security test represents one aspect of a more complete vulnerability management process.
To improve the security of your organization, find weaknesses, and resolve them effectively a management lifecycle should be implemented to help assess your security issues and make informed decisions regarding the priority order to take remedial action.
A vulnerability management program can include multiple steps to effectively identify and resolve issues such as:
- Tracking and Prioritizing Your Company Assets
- Identifying security Issues, Threats, and assigning Priorities
- Reporting security issues to management teams and security teams
- Addressing and Resolving threats within your company and verifying the results
- Working towards continual improvement
Conclusion
Third-party security assessment services can often have their own variations and definitions for each service and what exactly is included with asset coverage and manual involvement when using automated tools or the penetration testing process.
When arranging any testing or risk assessment for your organization, it can be helpful to clarify the exact details of the activities to be conducted by the provider, to ensure you receive a thorough security assessment of your assets.
When conducting security testing, there is rarely a single solution that provides complete coverage of all areas of your business.
Instead, a layered defense-in-depth approach to security should be undertaken which involves a combination of adhering to best practice guidelines, management of assets, security testing, threat detection, and malware protection.
Where you have any further questions regarding different cybersecurity solutions, our security consultants are available to address any concerns you may have.