By: Brian Kienzle, CISSP, OSCP and Mike Detrow, CISSP
As we discuss technical testing techniques with financial institutions, we still see a lot of confusion about the difference between a vulnerability scan and a penetration test (pen test). In the past, and even nowadays, these two terms are sometimes used interchangeably. However, a true pen test is quite different from a simple vulnerability scan.
A vulnerability scan is an assessment performed by running a scanning application like Nessus or Qualys. With these applications, the assessor inputs the target IP address ranges or DNS names, clicks scan, and then waits for the results. Scans are important tools for detecting and mitigating several types of vulnerabilities; however, they are limited, since they generally rely on fingerprints of known vulnerabilities.
A pen test, on the other hand, can be thought of as a highly technical audit. A pen tester will use a wide variety of techniques and tools, often including vulnerability scanners, to discover and exploit vulnerabilities. The tools that are used will be different depending on what network services and device types are encountered.
One of the biggest differences between a scan and a pen test is that a pen test will exploit vulnerabilities. This minimizes false positives and lets you know exactly what a vulnerability’s real impact is in your unique environment.
Are vulnerability scans worthless? No, but it is important to understand their strengths and weaknesses. Scanning software cannot think; it can only discover what it has been programmed to discover. It is valuable for finding low-hanging fruit, but its inherent design limitations prevent it from detecting certain vulnerabilities, such as vulnerabilities requiring custom exploitation, fuzzing, or guided brute-force attacks. Discovery and exploitation of these vulnerabilities requires investigation by an experienced security professional.
How do you tell which one you’re getting?
It takes a hacker to know how a hacker will try to exploit the devices on your network. Unlike vulnerability scans, pen tests require a lot of time and expertise. These are not perfect indicators, but can be helpful in determining what type of service is being performed:
- The proposal should give some detail about the overall penetration testing. True penetration testing by its nature is somewhat open-ended but should always involve manual investigation and exploitation of any discovered vulnerabilities.
- Engagement price can be an indicator. If the cost of your penetration test is very low, that could mean the pen test is simply a vulnerability scan. It would not make business sense to sell such a skill and time-intensive engagement so cheaply.
- If the findings do not include step-by-step instructions to exploit the specific vulnerability, that could be an indicator that the findings are automatically generated.
- Hackers and penetration testers are often self-taught, so certifications may not be strictly necessary. However, if this is an area of consideration, more weight should be given to certifications whose exam processes are practical exploitation tests, rather than multiple-choice exams. Certifications like this include Offensive Security Certified Professional (OSCP) and Licensed Penetration Tester (LPT).
When should you get a pen test or vulnerability scan?
Vulnerability scans and pen tests are different types of tools and therefore should be applied in different situations. Because of the lower cost and time restraints of vulnerability scans, they should be conducted more frequently. Regular vulnerability scans help to identify vulnerabilities in a timely manner, which allows IT staff to limit the time that these vulnerabilities remain exploitable on the network by remediating the vulnerabilities soon after they are discovered.
Vulnerability scans can even be performed by financial institution staff or by the financial institution’s Managed Service Provider (MSP). This is typically more cost-effective than hiring an independent party to perform frequent scans. However, it is still important to have an independent party perform an annual vulnerability scan to verify that the financial institution’s vulnerability management processes are effective.
Pen test frequency will typically vary based on a financial institution’s network infrastructure and vulnerability management practices. While external pen tests may commonly be performed annually, a financial institution may choose to perform internal pen tests annually, biennially, or even less frequently. Management should use a risk-based approach to determine the frequency of pen tests by considering the following factors:
- Significance of data stored on internal systems
- Frequency of network infrastructure changes
- Complexity of network infrastructure or network operating system
- Any network services or applications developed in-house, such as intranet sites
- Demand from examiners
If you have any questions about the differences between vulnerability scans and pen tests, or you would like to get more information about the testing services that Young & Associates has to offer, please contact Mike Detrow, Director of IT, at firstname.lastname@example.org or 330.422.3447. We look forward to helping you maximize the return on your technology investments.