Cyber Security: Vulnerability Scanning is Not Penetration Testing

Recently we have found that there has been a lot of confusion regarding the difference between Vulnerability Assessments and Penetration testing with regards to Cyber Security auditing. We have found that a lot of Cyber Security Vendors have started calling Vulnerability Scanning Penetration testing when in fact, they are two different types of audits.

 

What is a Penetration Test? 

A penetration test is a test that is performed in conjunction with a vulnerability scan. Penetration testing is used to spot weaknesses in assets that would be otherwise used by bad guys to gain unauthorized access to systems, applications, and networks. By using the same tooling and techniques as nefarious hackers, Penetration testers are able to spot, attack, and offer remediation steps in helping an organization better protect and defend these types of malicious attacks. 

As there are many phases to a proper and professional Penetration test, which includes a proper Vulnerability Scan, Vulnerability Scanning alone is NOT a Penetration test. 

 

What is a Vulnerability Scan? 

A Vulnerability Scan is an automated scan to help spot potential known vulnerabilities in systems and applications. Typically these scanners scan targets and match what is found against a database of known security issues called CVE’s (Common Vulnerabilities and Exposures). 

While Vulnerability scan results can give you some insight into possible attack vectors, they are very generic in nature.  It should be followed by a legitimate Penetration test to make sure the Vulnerability scan is accurate and indeed there are no false negatives/positives in the results. A professional Penetration tester would take the results of the Vulnerability scan and manually check to see if the report was in fact accurate via manual testing and research.

 

So if you find yourself looking for a Penetration Test and you find one being advertised for $99.99 and it says Penetration test in the title, have a look at the scans they perform and likely you will see it’s an automated Vulnerability assessment. Professional Penetration Testing is much more expensive than an automated vulnerability scan because of the additional skilled labor a professional Penetration test requires. 

As always, if you have any questions or in fact need a professional Penetration test or Vulnerability assessment for compliance or peace of mind, please feel free to reach out to our team of Cyber Security professionals. You can contact us here or call us on 631-403-1104