Security Essentials Series – Vulnerability Scans vs Penetration Tests

Our Cyber security basics series continues with a look at whether your current situation requires vulnerability scans or penetration testing. Or perhaps both?

What is  Vulnerability Scan?

Knowledge is power, so understanding your organisation’s vulnerabilities and how to remediate them is essential in avoiding a cyberattack. A vulnerability scan uses an automated scanning tool that can help you to identify and understand the vulnerabilities within your networks and support you in eliminating them.

A vulnerability scan is part of a vulnerability assessment, which is often part of a Risk Management Strategy. Such a scan is used to provide a prioritised list of vulnerabilities within your organisation’s networks – Critical, High, Medium, and Low vulnerabilities.

These scans are necessary because of the dependency we have as businesses on information technology such as the cloud, social media, and Internet of Things (IoT) devices to store and process information assets.

Cyber threats are continually adapting and changing as the landscape in which we operate evolves – approximately 15,000 vulnerabilities are discovered each year, so vulnerability scans should be done at least annually to support your protection from cyber threats.

Cyber Essentials Plus involves a thorough vulnerability assessment, including a report of the vulnerabilities discovered within your organisation’s networks, with an order of priority to aid implementation of any necessary changes or updates.

The prioritisation of vulnerabilities is a useful tool for IT departments because it can be a challenging task for them to ensure all software is always up to date, so by having a report ranking their ‘to do’ list in priority order, they can begin to eliminate vulnerabilities in order of importance.

Most cyberattacks exploit known vulnerabilities, which is why it is important to ensure that software updates, patches and fixes are taken care of.

What is a Penetration Test?

Penetration testing is designed to expose vulnerabilities in your software, networks, applications, and operating systems giving your organisation the opportunity to secure them before attackers exploit them. Penetration testing helps you to mature your organisation’s security by understanding how you could, and likely would be attacked, and what preventative measures you can take to secure your information assets.

Having a penetration test is an integral part of a comprehensive security program, as it is a simulated attack on your organisation’s specific systems or entire IT infrastructure that mimics the strategies and methods attackers use to compromise your information assets. It is performed by a penetration tester – a person skilled in the process of locating and exploiting weaknesses in your systems.

Depending on the areas you want assess for vulnerabilities, penetration tests will have a different mission profile. For example, the mission profile for hacking into a specific system will be different to if you want to breach a database or find a ‘hackable’ system.

Steps for designing a penetration test:

1. Assess the scope of the test
2. Consider your most valuable data asserts
3. Appoint the penetration tester and set objectives for the test
4. Execute the test to determine what kind of data could be stolen
5. Read the test report and consider the recommendations made

A quality penetration test gives deep insight into the organisation’s security posture and identifies how to prioritize any vulnerabilities found in the test. The report should also include measures you can take to eliminate the vulnerabilities and improve your security maturity.

Do I need a Vulnerability Scan or a Penetration Test?

Deciding whether you need a vulnerability scan, or a penetration test can be tricky because the two are sometimes confused. Both services, however, aim to discover potential vulnerabilities to prevent exploitation by cyber criminals.

A vulnerability scan is a simple to do scan that focuses on obvious weaknesses, for example, if we compare it to a thief trying to break into your home, they may look for open windows and unlocked doors. Whereas a penetration test offers a more in-depth test; again, if we compare this to a thief breaking into your home, the thief may gain access to your house by picking a lock or pushing on all the windows to find an open one.

Ideally your organisation should include both vulnerability scans and penetration tests in your Security Management procedures. Vulnerability scans can be done monthly as a maintenance procedure, to ensure that vulnerabilities don’t go unnoticed for a long period of time. Penetration tests should be done at least annually or after significant changes to your systems.

The process doesn’t end once you have carried out either a vulnerability scan or a penetration test. You will then need to remediate any vulnerabilities that were found. It is advisable to start remediation with the vulnerabilities that will have the biggest impact if they are exploited.

If you need help with understanding what your organisation needs, feel free to contact us here at Secarma on 0161 513 0960 and speak to our Business Development Team who will be happy to support your security needs.