This was originally posted as an INSIGHT for Wolf & Company, P.C. here.
Have you been hearing these terms thrown around by your IT or Compliance teams, but aren’t quite sure what they are talking about? This post aims to clarify the two types of testing, and provide some basic information to help identify which test is right for you. Do you need to address common missing patches, or are you more concerned with a specific threat actor? Each test serves a specific purpose and has varying degrees of complexity. Having an adequate understanding of each type of testing will ensure your organization is getting the most value out of the budget you have, for both compliance and security needs.
Which is right for me?
These testing approaches range in the complexity and required resources, starting with a basic, credentialed vulnerability scan. As the scope of testing expands to include items like threat emulation and exploit attempts, the resource demand, both for performing the tests and implementing the resulting recommendations, increases. Your answers to the questions below can help to determine whether you need an overall vulnerability scan or if more focused penetration testing is the right option for your organization.
Questions to Ask
- Do we have regulatory responsibilities that require vulnerability scanning or penetration testing?
- Are there specific threats we are most concerned with (e.g. ransomware or insider threats), or are we looking for a general vulnerability baseline?
- Do we have the resources to perform this testing in-house, or is a third party required?
This process looks to identify hosts on your network, and look at identifiable attributes to discern vulnerabilities that have already been publicly disclosed.
Vulnerability scanning is the less intrusive of the two options. Within the realm of vulnerability scanning, you can choose a few different levels of access, each providing a different level of information.
A thorough test will involve providing the scanning tool with administrator level credentials for all target systems. The scanning tool is able to authenticate each host and take a detailed look at the local software installations, configurations, etc. This will provide the most information possible for the end- user. By default, many systems are configured with usability prioritized over security, leading to a weak configuration. These credentialed scans can be configured to check for local settings that may not be a “vulnerability” in the traditional sense, but rather a weak configuration. As an added benefit, if your organization has decided to build system images using a standard like the CIS Benchmarks, many vulnerability scanning tools can confirm compliance with these baselines during the scan.
Vulnerability scanning is not without its flaws, however. Since these tools are performing automated checks, they are prone to providing results that contain false positives. This happens when software is updated, but may leave behind traces of the earlier version. The vulnerability is not present, but the scanning tool sees traces of an outdated version and includes this vulnerability in the results. These results are included in a massive listing, which can be difficult to prioritize. These tools do not have the in-depth understanding of your network a human would, so it will treat all vulnerabilities equally. In vulnerability scanning you will need to have a human reviewing the results to adjust the risk ratings based on the context of the impacted device and any mitigating controls.
- Can be automated / scheduled to re-test
- Vulnerability testing gives you complete visibility to all known security weaknesses present throughout your network
- Prone to giving false positives
- Hard to prioritize remediation efforts due to volume of data provided
- May categorize an item as low risk even if it could be used to gain access to the system
Penetration testing goes beyond the vulnerability scan. In a penetration test, the tester may start by performing some level of a vulnerability scan to focus their exploitation efforts, although this will likely not be as in-depth. Based on the maturity of your organization’s control environment, you may want to provide a certain level of information to the tester to ensure the tester can focus on the threats you are most concerned with. This can be a great way to increase the value of the test, without massively increasing the cost.
- Confirmation of the exploitability of vulnerabilities by attackers
- Depending on the scoping, you can verify your detection and response capabilities during the penetration test.
- More expensive due to required skills of the tester and amount of dedicated time
- A specific target or end goal will be described to the tester, which will focus their efforts. Because of this they may not find everything in the environment, but rather more granular issues a more generic vulnerability scan would miss.