Vulnerability Scanning vs. Penetration Testing – How They Differ

Throughout my years as an IT Security Auditor with Compass IT Compliance I have had the opportunity to meet a variety of different people, from Boston to Los Angeles, and everywhere in between. During that time, I have been asked on multiple occasions what the differences between a vulnerability scan and a penetration test are, as well as the differences between an internal vulnerability scan / penetration test versus an external vulnerability scan / penetration test. Vulnerability scanning and penetration testing are both powerful tools that can greatly enhance the overall security posture of an organization. When people understand the differences between the two, their overall network security will improve and reduce potential cyber-crimes brought against their organization.

Vulnerability scans can be automated or manual. Regardless of how they are conducted the objective is to search network systems for known vulnerabilities so that system administrators can patch and repair them in a timely manner. Regular vulnerability scanning is necessary to maintain a good information security program. Many frameworks require regular vulnerability scanning; an example is the Payment Card Industry Data Security Standard (PCI DSS) which requires quarterly internal and external scanning depending on the organization's merchant level. A good rule to follow when conducting scans is to always scan new pieces of equipment before they're deployed into the environment, and if any changes to equipment occur a scan should be conducted to detect any missing patches, outdated services, certificates, and / or protocols.

The differences between internal and external vulnerability scans vary only in where they are being conducted. An external scan is performed from outside of the network on network systems with external IP addresses, looking for vulnerabilities that outside attackers could use to launch attacks against the organization. An internal vulnerability scan looks for vulnerabilities within the internal network that employees of the organization may be able to compromise if given the opportunity. Both types of scans are important and serve their own individual purpose in enhancing the overall security of an organization and should not be overlooked when assessing the risk of your company.

A penetration test, often referred to as a “pen test”, is quite different from a vulnerability scan. A penetration test attempts to exploit identified weaknesses, insecure business processes, or lax security settings that a malicious actor could use in an attack. Detected weaknesses could be from the results obtained from a vulnerability scan. During a penetration test the transmission of unencrypted passwords, password reuse, and forgotten databases storing valid user credentials could be discovered. Unlike vulnerability scans, penetration testing does not need to be conducted as often but should follow some of the same rules outlined for vulnerability scanning. If any new pieces of equipment are added or significant changes to the equipment are made, a penetration test should be considered.

Like vulnerability scanning, penetration testing can be conducted both internally and externally, with the difference being where they are conducted. External penetration tests are performed from outside of the network on network systems with external IP addresses which one may picture as the stereotypical hacker, in a dark secluded area attempting to breaking into a restricted area. Most organizations prepare for these types of attacks and have numerous systems in place to protect the organization. The second type of penetration testing is internal. Typically, individuals that perform these types of tests will be granted access to the organization's internal network and conduct testing as to see what access employees have to systems and if they can be exploited.