Whilst the specifics are becoming more widely realised, there’s still a level of confusion around the differences and similarities between vulnerability scanning and penetration testing, with some people erroneously using the terms interchangeably. With this in mind, I thought I’d put together a quick blog post to explain and hopefully clear up the confusion. Let’s start off by looking at the high-level meaning of each of these terms:
A vulnerability scan checks network components (firewalls, routers, servers, etc) and web applications (websites, portals, databases, and the like) for unsecured access points and security holes. If left undiscovered and unfixed, these security lapses would allow an intruder to gain unauthorised access to your systems.
A penetration test makes use of gathered intelligence, such as a vulnerability scan, to actively attempt to hack a system. This is an intrusive operation and often 3rd party companies need to be advised about a scheduled “attack” so they don’t automatically spring to the defence. The difference between this and a real-world hack is intent and consent: a penetration test will only be performed with explicit written permission, and no attempt will be made to steal data.
So we can see that vulnerability scans and penetration testing pretty much go hand in hand. Now that the basics are covered, let’s look at both procedures in more details:
Vulnerability Scans: What’s being checked?
Whilst the details vary between scanning vendors, the standard checks should include – but not necessarily be limited to – the following:
- Known vulnerabilities in the network components and web applications
- Out-of-date hardware still being used
- Out-of-date software and operating systems still being used
- Missing patches and updates
- Open and exposed services and firewall ports
These are the same tricks that a real-world hacker would normally employ as a first step to compromising a network.
Penetration Tests: Why are they important?
It is vitally important to know that your infrastructure is up to date and secure and that no-one can forcefully breach your infrastructure. And if you don’t test, you don’t know.
If you require PCI DSS compliance at any point within your infrastructure then penetration tests are a mandatory requirement: you need them at least once a year to prove your level of security. If you make any significant changes to your PCI-compliant infrastructure, a re-test is required.
So, in short: vulnerability scans check and advise on weak points in your systems, whilst penetration tests attempt a full-scale hack based on any vulnerabilities found.
After a vulnerability scan, it’s standard to receive a report that outline all different vulnerabilities and, crucially, advise on how to fix them. A penetration test will then also attempt to actively hack all the systems where vulnerabilities have been found.
For smaller businesses where cardholder data is not being touched, a vulnerability scan is normally sufficient as it is non-intrusive and no harmful actions are being performed against the tested systems. For larger businesses, or anyone who uses or handles cardholder data, then full penetration testing is a vital part of PCI compliance.