Vulnerability scans or vulnerability assessments are often confused with Penetration tests, but they are very different and should be used in very different ways to assess and test your cyber security defences.
So what’s the difference between a vulnerability scan and a penetration test?
Vulnerability Scanning
A vulnerability scan uses a suite of tools to provide a technical assessment of your IT estate. It scans your network infrastructure to identify unpatched software updates, incomplete deployment of security software, or open ports, for example. Scans should be performed both externally to the network and from within the network.
A vulnerability scan quickly identifies the open doors to known vulnerabilities—the most frequent exploitation by hackers—and should be regularly performed (quarterly, at minimum for Cyber Essentials compliance). It should form part of a wider security assessment strategy to assess and prepare your organisation’s defences from cyber attack and data loss.
The ‘EternalBlue’ exploit exploited a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol, which was also used in the WannaCry and Petya/NotPetya ransomware attacks. A vulnerability scan would highlight the exposure to this risk.
Penetration Testing
On the other hand, a penetration test (or ‘pen test’) should only be performed when you have properly assessed and prepared your defences, which will include a vulnerability assessment as part of your preparations.
A pen test involves trying to hack into your defences through any means—an ethical hack—and will always be hugely successful if you do not have an ongoing security assessment programme in place.
Ethical hacking probes your defences to see if they can penetrate the perimeter and exploit a vulnerability, just like a hacker would.
Ultimately, a Penetration test doesn’t help you improve your security; it only highlights a single weakness in your defences. A hacker only needs one open door to get in.
Start With a Security Audit & Assessment
Assessing your security marks the first and most important step towards forming an effective defence.
A security audit and assessment provide a wide-ranging, top-level security evaluation. They examine your overall security programme to understand your current state of defences and form an essential step towards compliance requirements, such as GDPR.
A security assessment will help you answer:
- What is the state of the overall security programme?
- Are there any surfaces of critical threat that are not sufficiently defended?
- Are your data at risk from any 3rd-party relationships?
- What do I need to do to defend against the attacks that are happening today?
- What security technologies are not being fully or effectively utilised?
- Are you meeting your compliance requirements?
- Are you exercising due diligence compared to your industry peers?
An audit will establish your current security posture by evaluating policies and processes, examining data access and security privileges, and assessing physical security measures. It will also provide an actionable roadmap for implementation.
The first step towards forming an effective defence is to gain visibility and understanding of where your critical data resides and how it is accessed, processed and secured.
A Security Assessment Roadmap
The best way to improve your cyber defences is to evaluate and assess them, from both an organisational and technical viewpoint. Only then should you test them out with a penetration test.