Overview
Two of the most common questions clients ask are: What’s the difference between a vulnerability scan and penetration test and what option is best for my company? The differences between a vulnerability scan and penetration test are often confused. Let’s take a look at the key differences between the two options and paint a clearer picture on what option you should choose for your company.
What is a Vulnerability Scan?
- Helps identify risks and vulnerabilities and patch management
- Cost-effective (around $1,000-$5,000)
- Allows for risk prioritization. Defenders can address high-priority risks first.
A High-Level Overview
| Vulnerability Scanning | Penetration Testing | |
| Definition | Vulnerability scanning, also known as a vulnerability assessment, is the process of scanning for known vulnerabilities in a network using automated tools, such as Nessus, Nexpose, or OpenVAS. | Penetration testing, also know as pentesting or ethical hacking, is the process of scanning and exploiting vulnerabilities on a network through automated and manual methods. |
| Methodology | An engineer will run a vulnerability scan against a defined scope on an internal or external network. The engineer will compile a report based on the vulnerability scan findings. | An engineer will go beyond the vulnerability scan and attempt to find additional vulnerabilities through manual testing. The engineer will also attempt to exploit all vulnerabilities found in hopes of breaking into systems and gaining sensitive access. |
| Pros |
1) Helps identify risks and vulnerabilities and patch management 2) Cost-effective (around $1,000-$5,000) 3) Allows for risk prioritization. Defenders can address high-priority risks first. |
1) Hands-on approach that goes beyond automation 2) Confirms exploitation and helps reduce false positives 3) Potentially identifies previous network compromises 4) Assists defenders with identifying scans and attacks to fine-tune the SIEM |
| Cons |
1) Fully automated, with no “hands-on” approach 2) Higher likelihood of false positives due to no engineer verification 3) Not guaranteed to scan or identify all systems in the network |
1) Significantly more expensive than a vulnerability scan, depending on network size and scope 2) Not guaranteed to find and exploit all vulnerabilities in a network 3) Only a snapshot in time. A new vulnerability could arise after testing. |
| Testing Frequency | Many compliance standards, such as HIPAA and PCI-DSS dictate for quarterly vulnerability scanning. It is also recommended to scan all critical devices monthly and all new devices fully prior to being brought online. | At a minimum, it is recommended that companies conduct a penetration test on a yearly basis. However, some compliance standards dictate that testing be performed at a higher rate, such as bi-annually. |
What Option Should I Choose?
The chart above identifies vulnerability scanning as a highly automated process, that is quick to perform, relatively cheap, and will help address potential high-risk vulnerabilities. Vulnerability scanning also helps with patch management and prioritization. Vulnerability scans are a great way to identify quick patching.
A common recommendation is that companies should conduct a penetration test before ever performing a vulnerability scan. While vulnerability scanning does not go “hands-on” like penetration testing, it provides a company with a general overview of needs that might need to be addressed immediately. If a company is not performing vulnerability scans on a regular basis, a penetration test may only scratch the surface. For example, if Acme Company has never performed vulnerability scan and purchases a penetration test, the test may identify vulnerabilities, but miss others due to scope and time restrictions. On the other hand, if Acme Company performs consistent vulnerability scanning and patching, a penetration tester has the ability to “dive into the weeds” and look for much more manual and hidden vulnerabilities with his or her allotted time.
A combination of both choices, with quarterly vulnerability scans and an annual penetration test is considered the best methodology.
Questions to Consider
With that being said, some questions you should ask yourself prior to purchasing a vulnerability scan and/or penetration test are:
- Is the company required by industry regulations/compliance to conduct a vulnerability scan or penetration test on a periodic basis?
- Does the company store sensitive customer or client information?
- Does the company store sensitive employee information or other personally identifiable information (PII)?
- Will an attack on company infrastructure cause personal or monetary damages?
If your answer is yes to any of the above, a vulnerability scan and/or penetration test should be considered.
Summary
In summary, vulnerability scanning and penetration testing are vastly different options that can be performed against a network. A company that is newer to it’s cybersecurity focus should opt for vulnerability scanning as a first choice. Once initial vulnerabilities are found and a solid patch management process is in place, a penetration test should be considered. Companies that are more mature in their security posture should opt for penetration testing to further enhance their posture and strengthen their defenses. Overall, it is best to combine vulnerability scanning and penetration testing into a balanced attack to comprehensively improve your security posture.
If you would like to learn more about our vulnerability scanning and penetration testing services or need any additional assistance, please feel free to contact us and we’ll be happy to help!
About the Author: Heath Adams
Heath Adams, also known as “The Cyber Mentor,” is the CEO of TCM Security. While Heath is an ethical hacker by trade, he also loves to teach! Heath has taught courses to over 1,000,000 students on multiple platforms, including TCM Academy, Udemy, YouTube, Twitch, and INE.
Heath has held many certifications, including CISSP, PNPT, QSA, GSNA, OSCP, ECPTX, and eWPT. He also holds an MBA degree.
Finally, Heath is also a husband, animal dad, tinkerer, and military veteran.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com