The Difference Between Vulnerability Scanning and Penetration Testing

We might all agree that there is a huge difference between checking your symptoms on WebMD and actually seeing a doctor. However, if you’re not an information security professional, it may be easy to chalk up the difference between vulnerability scanning and penetration testing to “technical details”. Understanding the difference and knowing how to incorporate both testing styles can be a huge benefit to your security posture.As a working definition, a vulnerability scanner is a tool used to check systems and services for known security holes. A penetration test is an active engagement where a team of knowledgeable professionals will attempt to exploit those systems and services in the same way a real threat-actor would. A penetration test often further includes physical security assessment and in-depth social engineering campaigns.To be clear, WebMD is a great resource, and so is vulnerability scanning. Vulnerability scans are an excellent maintenance tool and have additional value when incorporated into a routine. Deployed regularly, vulnerability scans can be used to actively monitor security posture and track progress and failures. Findings are often in the form of missing patches, insecure services and ports, and misconfigurations. Examining this data over time can aid in identifying anomalies and unauthorized changes. Maintaining a network can be an extensive job, and utilizing a vulnerability scanner provides a human-error-free way of double-checking.The scope of a penetration test goes far beyond what a vulnerability scanner is capable of identifying. Prior to the engagement, both parties will define this scope, which may include external, internal and physical testing and incorporate elements of social engineering, phishing campaigns, and known vulnerability exploitation. A full scope penetration test will include these elements and many more, and it is often impossible to list each tactic the team will try. The same way hackers continually expand and evolve their methods, so will a penetration testing team.Real-world threat actors do not operate off of the findings of an external scan, so limiting your security testing to a vulnerability scanner may leave a business severely shortsighted of their weaknesses. If we asked, “How easy would it be to hack your company?”, running a vulnerability scanner might lend the false pretense that everything is safe and sound, while a full penetration test could completely compromise your entire domain in a matter of days.The results of a well-conducted penetration test are far more akin to the real threats a business faces, while still providing actionable reporting that can be used to mitigate those threats. Besides identifying the same security holes a scanner will, a penetration test will also be able to advise in ways to improve best practices, identify policy weaknesses, and demonstrate cases where employees need further training in preventing phishing and social engineering attacks. A good penetration testing team will continually evolve in their methods, the same way hackers do.Both of these security testing methods provide invaluable feedback to a business wishing to maintain excellent security posture. It is recommended to conduct vulnerability scans every __ months/weeks and full-scope penetration tests annually.