When you create technology attached to the Internet, be it a website, app or a network server, you have to realize you’re going to be the target of hackers. There are plenty of tools to protect yourself from these attacks, but two of them people tend to get confused are penetration tests and vulnerability scans. These are very distinct tools that can be used in tandem to check your product to ensure that it can stand up to attacks from hackers.
A vulnerability scanner is an automated tool (or suite of tools) used to locate vulnerabilities on a computer product. Think of it as an automated hacker who can run thousands of security checks to look for vulnerabilities in the system.
It’s important to run a scan when you first create a network-based product, and performing a vulnerability scan regularly (weekly or monthly) will ensure the system is still functioning properly. All INSUREtrust policyholders receive free vulnerability scans of up to three external facing IP addresses. Sign up by going to https://www.insuretrust.com/assuretrust/.
Scott Sailors of INSUREtrust vendor partner Business Technology Solutions defines these scans as “automated scans to identify common vulnerabilities. Some vulnerability scans can be validated, which typically requires a little more hands-on work to identify true vulnerabilities and remove false positives.”
While vulnerability scans can be programmed to look for a series of known vulnerabilities, they cannot “think” in the traditional sense, nor work creatively, like a real hacker might. Thus, the necessity for penetration testing.
A penetration test (or “pen test”) is a real, live hacking attempt performed on your product to find vulnerabilities and problems with it. In this situation, a cybersecurity expert acts as a real hacker might to target your product with the intention of finding how to disrupt or crash it.
“Penetration tests go beyond vulnerability assessments in the way that vulnerabilities are identified and then exploited to show how they can be used by a malicious actor,” explains Sailors. “Penetration tests also produce vulnerabilities that will not show up on an automated scan. An example of this is that a vulnerability scan may list SMB-Signing as being disabled. Penetration testing will combine this with an SMB Relay attack to potentially gain access to a separate system. Vulnerability scanning will not go this far.”
In essence, an automated scan does has limitations because it can only follow its linear programming. It cannot think as creatively as a human hacker who moves “out of the box” to come up with unusual attacks that a programmed scanner may not have.
Sailors adds that “Vulnerability scanning will not determine weak password attack vectors, but penetration tests will use these to gain access.” Here, it’s obvious that the real-live “hackers” can give a truer sense of what could happen in the event of an actual cyberattack. Think of this as a reconnaissance mission of your product. The security pros are like soldiers checking out the terrain of your product to see where other cyber soldiers can take advantage of weaknesses to break in.
The Truth About Vulnerability Scans vs. Penetration Tests
When it comes to keeping your network safe, it’s important to use all of the tools at your disposal. Vulnerability scans, being automated, are cheaper to run and can be used over and over to test for expanded vulnerabilities as they are discovered online. However, penetration testing gives a much deeper understanding of where your vulnerabilities lie because you’re using live hackers who can think and respond better than a machine might, giving you a better overall sense of how secure your network is.