Penetration Testing vs. Vulnerability Scanning. Is There a Difference?

Yet, trying to get organisations to part with their cash and secure their environment has never been easy. Finally, however, after years of increasingly regular news stories getting closer and closer to home, cyber security is finally starting to receive the investment it warrants.

That said, your customers still aren’t ready to throw five or six-figure sums around to secure all end points within their environment. As the Chinese proverb goes: ‘A journey of a thousand miles begins with a single step’, so before we get to the holy grail of your customers looking to you for a fully managed SOC that provides you with a healthy recurring revenue stream, let’s discuss the differences between two common and easily transacted approaches to opening up the cyber security conversation: penetration testing and vulnerability scanning

Penetration Testing

Pen testing actively inspects internal and internet facing applications or websites for flaws and loopholes which could be exploited by attackers, usually carried out by a security operations centre analyst or team. Some key reasons for conducting a penetration test include:

• Demonstrating the real-world attack vectors that could compromise an organisation’s data, assets, or even people. Many loopholes within an environment will be unknown at the time of testing, providing vital intelligence which can save your customers’ revenue and reputation in the long run.
• Reinforcing existing cyber security policies and strategies by making end users aware of their part to play. The most robust of security strategies can be undermined by human error. Phishing can form part of a penetration test and should always empower end users, rather than pointing the finger at them.
• Help prioritise cyber security spend. While you may want your customers to dive straight in, invest big in security and forget about it, they’ll most likely appreciate an approach which identifies key areas of weakness, followed by manageable steps to help secure them. This will build trust between you and them as their trusted service provider, as well as ensure their investment in cyber protection is shrewd.

Vulnerability Scanning

Unlike penetration tests, vulnerability scans are typically carried out using automated tools such as Tenable, Netsparker, OpenVAS, Arachni, Nexspose or Qualys. The idea behind these scans is to identify known weaknesses in an environment such as unapplied patches, out-of-date software versions, or gaps in the network – whereas a pen test will attempt to exploit weaknesses both known and unknown. Reasons for performing a vulnerability scan could include:

• Sanity checking changes to an environment such as patch updates or new hardware. This can be done soon after a change has been made, or at regular intervals between an annual penetration test to make sure nothing will slip through the cracks.
• To give a specific use-case, a newly hired IT or facilities manager may want to gain a basic understanding of existing vulnerabilities before determining next steps. Vulnerability scans a perfect for providing an at-a-glance snapshot of the current situation.
• Acting on announcements regarding software vulnerabilities. Often these vulnerabilities are publicised by the vendor, and the race begins between organisations and cyber criminals. A targeted scan after such an announcement can allow the security flaw to be patched before it is exploited.

Both approaches can help your customers achieve their own compliance requirements while strengthening their business continuity policy and can provide a firm foot in the door for future investment in a more robust cyber security posture. If security services aren’t yet part of your solutions portfolio, you can be sure that someone else is talking to your customers about it.

Our dedicated team of cyber security practitioners are available to help your customers take the first step in the journey towards a secure IT environment. Read more about our security services and get in touch with your account manager if you’d like to learn more.