Amid the fallout from Log4Shell, Colonial Pipeline, JBS, and a myriad of other high-profile breaches, cybersecurity is becoming a larger priority in corporate America. While many companies are now cognizant of the risks, some also may be wondering where to begin with threat mitigation.
But before mitigation can begin, companies must identify their cybersecurity vulnerabilities. Proper defense in depth (DiD) depends on it. Vulnerability scanning and pentesting both can help, but each assessment has its strengths, weaknesses, and appropriate uses.
Understanding Vulnerability Scanning
Vulnerability scanning identifies cybersecurity vulnerabilities in systems and software that could lead to breaches and/or data exposure. To conduct a vulnerability scan, cybersecurity engineers use software tools that can review entire networks, automatically searching for and identifying known vulnerabilities. While this process is largely automated, cybersecurity engineers control what gets scanned and schedule when scanning takes place. Vulnerability scans yield fast, high-level overviews of potential weaknesses in a company’s defenses.
A vulnerability scan can also reveal a great deal about an information system. For example, it will tell the engineers performing the scan about the software the system is running, whether that software is up-to-date, and whether that software is susceptible to known flaws. These flaws are called Common Vulnerabilities and Exposures (CVEs). Vulnerability scanners cross-reference open-source CVE databases to determine if the system under automated review is susceptible to these known attack vectors.
Some industry standards even mandate vulnerability scanning. For example, companies that process credit card data must regularly perform vulnerability scans to maintain Payment Card Industry Data Security Standard (PCI-DSS) compliance.
While vulnerability scans are efficient and comprehensive, they are not useful in isolation. The data they produce require human interpretation. For example, a vulnerability scan can identify a vulnerability, but only a human can ask the relevant questions to determine whether the finding is legitimate, whether a malicious actor can exploit it, and ascertain the potential impact on the company if it were exploited.
This is where penetration testing, conducted by skilled cybersecurity engineers, excels.
Understanding Penetration Testing
You can think of penetration testing (commonly referred to as pentesting) as a simulation of a cyberattack carried out by a malicious actor. A company hires a cybersecurity firm to breach their defenses and explain how they got in, what information they could have taken, and what damage they could have done. Pentesting differs from vulnerability scanning in several key ways.
The first is comprehensiveness. Penetration testers, known as pentesters, usually aren’t looking to enumerate all the ways they could breach a company’s defenses. Like real malicious actors, they’re looking for any way into a company's digital infrastructure. Once inside, they try to move laterally through networks, escalate their access privileges, and identify sensitive data that they could exfiltrate and/or ransom, if they were actual malicious actors. Pentesters may use a vulnerability scanner to quickly identify possible exploits, but given time constraints, the goal isn't to attempt every exploit. Instead pentesters will prioritize actions based on the severity of the exploit and the likelihood of successful exploitation.
The second differentiator of pentesting is the reporting, which is far more nuanced than vulnerability scanning and includes human-generated insights and explanations. At the conclusion of a penetration test, pentesters report on how they got in, what data they could have exfiltrated, and steps the contracting company can take to mitigate the threats that the pentest exposed.
The final differentiator is social engineering. Pentesting firms often offer social engineering tests, which use tactics to test not just your digital defenses, but also your human defenses. Many malicious actors gain footholds in companies by exploiting employees -- tricking them into downloading malware or revealing sensitive information such as account credentials -- which can lead to network compromise. Pentesters will often use social engineering tactics, such as phishing, spear phishing, and vishing (voice phishing) to gain a foothold in an organization. This is a great way of assessing your organization’s baseline cybersecurity awareness, and it’s also something that a vulnerability scan just can’t do.
But to be clear, vulnerability scanning is still an incredibly useful tool to have in your company's cybersecurity kit. Both vulnerability scanning and pentesting have effective use cases.
The Pros and Cons of Vulnerability Scanning
First, let’s look at vulnerability scanning:
The Pros of Vulnerability Scanning
- Speed: Depending on the size of the network under review and the scan’s configuration, a vulnerability scan can take anywhere from 1-10 hours or more.
- Price: Vulnerability scans are more affordable than penetration tests. At a lower price point, companies can hire a cybersecurity firm to run these scans regularly and report any changes, or purchase software to run the scans themselves.
- Automation: Set it and forget it. Vulnerability scans can run on a pre-configured schedule, such as monthly or weekly. Cybersecurity engineers must still review the results, however.
The Cons of Vulnerability Scanning
- Interpretation: Vulnerability scans are automated, to a point. The results require validation. For example, a scan could produce what it understands as a high-risk finding, declaring that communication between a web browser and server is unencrypted. However, a cybersecurity engineer could review the website, notice that it’s an informational, static site with no functionality like input forms, for example, and determine that no practical attack vector exists. The vulnerability scanner produces the finding with the assumption that sensitive data, such as passwords or credit card information, is being transmitted over an unencrypted connection, and without any awareness of the site’s limited functionality or compensating security controls that eliminate any real security threat. Conversely, vulnerability scanners (even paid, premium products) can return false-negative results, and without the expertise to manually validate, this can provide a false sense of security.
- Social engineering: Vulnerability scanning does not account for the human element, specifically how a malicious actor could manipulate employees into granting unauthorized access or divulging sensitive information. Vulnerability scans only outline attack vectors that a human could exploit.
- Defense in Depth (DiD): DiD is a cybersecurity best practice that seeks to layer security controls across the domains of technology, people, and processes. A vulnerability scanner is not programmed to understand the nuances of DiD and only evaluates a small slice of technology controls. It does not test the domains of people and processes, and, regarding technology controls, is mostly limited to OSI layers 3-5, meaning it cannot comprehensively assess a company’s security posture in many contexts. Vulnerability scanning is also unable to evaluate potential vulnerabilities that require manual action such as HTTP request tampering, and user privilege escalation, both of which occur at OSI layers 6 and 7.
The Pros and Cons of Penetration Testing
Now, let’s look at pentesting:
The Pros of Penetration Testing
- Human intelligence: A vulnerability scan reveals technical weaknesses, but only a human can exploit those weaknesses, mimicking a malicious actor. Pentesters combine their technical knowledge and skills with real-time research and decision-making abilities to maximize the effect of an exploit. If a chosen vector doesn’t work, they can switch to another or use multiple tactics to achieve their goal, even discovering and working around compensating controls if necessary. Technology stacks, vulnerabilities, security controls, and network size are all pieces of a complex puzzle that only human intelligence can truly solve.
- Defense in Depth: Unlike vulnerability scanning, pentesting covers a larger scope of a company’s DiD security architecture, including technology, people, and processes. Penetration testers use multiple tactics to understand and attempt to exploit vulnerabilities in a company’s DiD strategy. For example, a penetration tester could discover that a company does not use input sanitization to protect against SQL injection, but instead uses a web application firewall as a compensating control, which is one component of DiD architecture. Using the Swiss Cheese graphic above to illustrate this, you can see that a penetration test would discover a more comprehensive picture of the technology controls -- that a compensating control is being used as another layer of cheese in lieu of a big hole in the outer layer of cheese, the absence of input sanitization.
- Social engineering: A vulnerability scan will not test your employees’ end-user awareness. Pentests put your technical and human defenses to the test. Social engineering testing, when combined with a pentest, provides a more comprehensive roadmap to cyber threat mitigation than vulnerability scanning alone. Employees must be trained to spot and report social engineering attacks, such as phishing, spearphishing, and vishing, and a pentest combined with social engineering testing highlights where they need help.
- Customization: While a cybersecurity engineer can adjust certain vulnerability scanning parameters, a penetration test is completely customizable to the needs of the contracting company. Before a pentest takes place, the company undergoing the test can decide what systems are within the testing scope, what tactics are on the table, and which employees can be targeted. A pentest can be broad, encompassing a company’s entire digital footprint, or it can be specific, targeting a single web application or specific segments of the external or internal network.
- Reporting: Pentests provide detailed reports describing the weakest points of a company's cybersecurity posture, such as what vulnerabilities were exploited, and the depth of compromise that occurred. Moreover, a quality pentest report will rank the severity of these exploits and provide a roadmap to addressing them, with consideration to the company such as remediation cost and ease of implementation.
The Cons of Penetration Testing
- Cost: Penetration tests require more time, effort, and human resources than a vulnerability scan and consequently are more expensive than vulnerability scans. While the price tag may be higher, no other cybersecurity test is as comprehensive.
- Time: From reconnaissance to actual exploitation, to documentation, and finally reporting, penetration tests take longer than vulnerability scans. But good things take time.
Choosing an Option
While both vulnerability scanning and penetration testing have associated costs, recovering from a ransomware attack is far costlier. A 2021 Sophos report found that the average recovery cost for a ransomware attack was $1.85 million the same year – that's up from about $761 thousand the year prior.
Vulnerability scanning and penetration testing are money well-spent. They work best together and on a schedule. At a minimum, you, or a third-party vendor, should perform regular vulnerability assessments. The cybersecurity industry standard is to have at least one annual penetration test. GoVanguard also recommends following up with a retest to ensure that remediation efforts were effective. Frequency needs may change if your company undergoes significant network infrastructure changes, a new zero-day exploit is discovered, or if compliance requirements change.
Ultimately, vulnerability scanning and penetration testing serve different but complementary purposes, both of which are critical. Vulnerability scanning is more of a maintenance best practice, whereas penetration testing assesses whether a human could compromise your network.
Timing matters when deciding to conduct a vulnerability scan or a pentest. For example, if your cybersecurity basics aren’t covered, such as mapping your attack surface and environment, creating cybersecurity policies, and laying out a disaster recovery plan, all that either scan will reveal is that these bedrock cybersecurity principles must be addressed first. While that may seem intimidating, your company can handle many of these basics at low or no cost. You can learn more about how to do it here.
Once you’ve addressed these basics, you’re ready for vulnerability scanning and pentesting. The tactics of malicious actors are constantly evolving, and so should your defenses.