July 18, 2017
Vulnerability scans, or vulnerability assessments are often confused with a Penetration test – but they are very different, and should be used in a very different way to assess and test your cyber security defences.
So what’s the difference between a vulnerability scan and a penetration test?
Vulnerability scanning
A vulnerability scan uses a suite of tools to provide a technical assessment of your IT estate, scanning your network infrastructure to identify unpatched software updates, incomplete deployment of security software, or open ports, for example. Scans should be performed both externally to the network, and from within the network.
A vulnerability scan quickly identifies the open doors to known vulnerabilities – the most frequent exploitation by hackers – and should be regularly performed (quarterly, as a minimum for Cyber Essentials compliance). A vulnerability scan should form part of a wider security assessment strategy, to assess and prepare your organisations defences from cyber attack and data loss.
The ‘EternalBlue’ exploit, made use of a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol, as used in the WannaCry and Petya/NotPetya ransomware attacks. A vulnerability scan would highlight the exposure to this risk.
Penetration testing
A penetration test (or ‘pen test’) on the other hand, should only be performed when you have properly assessed and prepared your defences, which will include a vulnerability assessment as part of your preparations.
A pen test involves trying to hack into your defences, through any means – an ethical hack – and will always be hugely successful if you do not have an on-going security assessment programme in place.
Ethical hacking probes your defences to see if they can penetrate the perimeter and then exploit a vulnerability – just like a hacker would do.
Ultimately, a penetration testing doesn’t help you improve your security, it only highlights a single point of weakness in your defences. A hacker only needs one open door to get in.
Start with a security audit & assessment
Assessing your security marks the first and most important step towards forming an effective defence.
A security audit and assessment provides a wide-ranging, top-level security evaluation, looking at your overall security programme to understand your current state of defences, as well as forming an essential step towards compliance requirements, such as GDPR.
A security assessment will help you answer:
- What is the state of the overall security programme?
- Are there any critical threat surfaces not sufficiently defended?
- Are your data at risk from any 3rd-party relationships?
- What do I need to do to defend against the attacks that are happening today?
- What security technologies are not being fully, or effectively utilised?
- Are you meeting your compliance requirements?
- Are you exercising due diligence compared to your industry peers?
By evaluating policies and processes, looking at data access and security privileges, assessing physical security measures, an audit will establish your current security posture, providing an actionable roadmap for implementation.
Gaining visibility and understanding of where your critical data resides, how it is accessed, processed and secured is the first step towards forming an effective defence.
A security assessment roadmap
The best way to improve your cyber defences is to evaluate and assess them, from both an organisational and technical viewpoint. Only then, should you test them out with a penetration test.