Scanning versus Penetration Testing

Scanning a network to check for vulnerabilities is an important exercise, but should not be confused with Penetration Testing, a process that looks for security weaknesses and launches various attacks in order to gain access to a system.  Although the two are closely related, the objectives are different.

A vulnerability scan checks for known vulnerabilities and generates a report, and can be run by a security specialist or even an average user.  This is an important first step in reducing overall risk, as most vulnerabilities can be addresses and reduced if not removed entirely.  For example if we had a weak password as a vulnerability, the password could be made stronger, thus removing the vulnerability.

A penetration test uses the vulnerability scan to try to gain access to a computer system. In most cases, penetration testers require a broader range of knowledge along with various levels of expertise in all aspects of computer systems such as operating systems, databases, web servers and network devices.  Once done, a thorough report is written that includes methodology and detailed findings, along with possible solutions to address the weaknesses in the system.

Vulnerability scanning should be done on a regular basis, and issues addressed as soon as possible to prevent an attack. Use prior scans as a baseline to see if vulnerabilities increase, decrease, or stay the same. Some common scanners include Nessus, Nipper and Saint.  A list of scanners and a short description can be found at http://sectools.org/tag/vuln-scanners/ .

Penetration testing should be done once a year, and use many tools and techniques.  However, the expertise of the tester is as essential as the tools. Many times it is conducted by an outside firm. 

Let’s compare and contrast.

Vulnerability scanning and penetration testing are both essential in an organization.  Many times both are required by regulations such as PCI, GLBA, Sarbanes Oxley, HIPAA or FISMA.

Vulnerability scanning can be considered detective in we know what the vulnerabilities are.

Penetration Testing can be considered defensive because now we take steps to reduce the risk.

To learn more about basic concepts of IT security, check out my series “Foundations of IT Security” in the lynda.com library. Click here to start your free trial!