What is the difference between Penetration Testing and Vulnerability Scanning

It seems barely a day goes by without news of another ransomware attack or dire warnings of the growing threat businesses face from hackers. There is only so much an organisation can do on its own, before turning to specialist help to find the weak spots in its defences, before the criminals do.

Two terms becoming more prevalent in this fight against the cybercriminals are penetration testing and vulnerability scanning. But what do these terms mean and how important are they in keeping your systems, networks, devices and people safe from attack?

In short, they are different approaches to security, but either one undertaken in isolation, is of little use and the differences are important.

What is Penetration Testing?

Different penetration tests can be performed, internal, external, web-application, GDPR, etc., but regardless of the test, it should be undertaken by a specialist IT security professional. They will use the same tools and methods as hackers to discover vulnerabilities, then attempt to exploit them.

External testing assesses the infrastructure accessible through the internet and usually involves firewalls, VPN’s etc., and will also typically include attempts to ‘phish’ employees. An internal test assesses the infrastructure inside the corporate network and the risk posed by virus/malware outbreaks, rogue employees and physical intruders.

Effective penetration testing requires experience, detailed knowledge of infrastructure and systems architecture, allied to a range of specialist skills, which is why it costs more than automated processes. Testers understand the hacking world and will seek to exploit a new vulnerability unknown outside the dark web.

What is Vulnerability Scanning?

Vulnerability scanning identifies potential vulnerabilities in network devices such as firewalls, routers, switches, servers and applications. But it is a largely automated process focussed on finding potential and known vulnerabilities without attempting to exploit them.

Vulnerability scanning encompasses the entire business and in scope is much wider than penetration testing. Effectively vulnerability scans require good network knowledge of the systems and are typically run by systems administrators or external security personnel.

It is cost-effective to run scans frequently to discover known vulnerabilities and patch them, but ideally coordinated with penetration testing to offer a more comprehensive solution that combines detection and preventative measures.

The question for every organisation to answer is: how much risk are you prepared to accept against the cost of regular vulnerability scans and at least twice-yearly penetration testing?

Vulnerability scanning and penetration testing inform your cyber risk analysis and help determine the controls needed at the business, department and individual level. The reports provided will provide suggestions to close weaknesses in your defences and that could be priceless.

Like what you read?