There is still quite a bit of confusion out there on the differences between a Vulnerability Scan and a Penetration Test. The truth is both services can be successful in keeping you ahead of the hackers, but the trick is knowing which one is right for you and when.
Understanding the features and benefits of both Vulnerability Scans and Penetration tests will help you be sure you make the most of what you’re paying for.
The difference between a vulnerability scan and a penetration test
There can be a lot of confusion on the differences between a vulnerability scan and a penetration test because they both provide insights into the vulnerabilities in a network, but they are both very different things. You can differentiate the two by looking at the process, the network insights they provide, the focus of the tests, and the number of CIS Controls they cover.
A vulnerability scan is an automated scan of a network. It does a great job of identifying things like the gaps in the security controls or if a server was properly patched before it was added to a network, but it doesn't identify if that network is secure against specific attacks. A pen test is done manually and allows the tester to attempt exploits to see if they can gain access to the network. This difference can be confusing because there are companies out there selling what they call a pen test, but what they're doing is running an automated vulnerability scan, taking those results and dumping them into a report and then selling it for $20k, but that is not a true pen test.
A perfect example of something you would want to test with an actual penetration test:
Playing the role of an attacker, I send a spearphish out to the victim whose machines are fully patched, which is great except I'm doing a password attack. I have a bogus website set up that looks like it's something legitimate that's going to be asking for legitimate credentials. When the victim gives me legitimate credentials, I gain valuable passwords into the victim's environment and I don't need malware or exploits. A vulnerability scan does not provide that kind of in-depth investigation into the security of a network.
The second big difference is what is uncovered about the network. A vulnerability scan will give insights on the baseline configuration of a network while penetration testing is a lot more in-depth. Pen testing provides a more complete picture of what's going on with your vulnerability. You also get more manual validation, meaning if the tester sees something in an automated scan that may be a potential vulnerability, they can exploit or test it to see if they can get in and see how far they can go with that vulnerability.
Another difference would be the focus of the test. A vulnerability scan can only go so far and is going to be great for a triage, which lets you know what needs to be patched, fixed, or remediated, but it doesn't let you know where the keys to the kingdom are. With a pen test, it's possible to customize what is more important to the customer. So if they want to see if their clients’ data is protected we can specifically go after that data and see if we can find that information and exfiltrate it. It helps us answer questions like:
- Were they able to find the attack?
- How did their security team react?
- Were they able to stop the attack?
The 18 CIS Controls (Formerly SANS 20 Critical Controls)
Lastly, a vulnerability scan covers about half of the CIS Controls, which is pretty good. A pen test on the other hand covers all CIS Controls and by that standard is a more holistic approach when looking at the performance of a network's cybersecurity.
Updated on 08/03/2021 to reflect the updates to the CIS Controls.