In our previous tutorial we have learnt what is penetration testing or pen testing. Today we will learn what is the difference between penetration testing and Vulnerability scanning or assessment. Most users believe that penetration testing is just an vulnerability scan but its a myth as Vulnerability scan or assessment is just one step or part of Penetration testing i.e. we can say vulnerability scan is just an subset of Penetration testing. Vulnerability scan or vulnerability assessment is limited to scanning of known vulnerabilities and reports potential exposures of an web based or network based IT system.
A vulnerability assessment is the process of running automated tools against defined systems to identify known vulnerabilities or flaws in the environment. Vulnerabilities typically include unpatched or mis-configured systems. The purpose of a vulnerability scan is to identify known vulnerabilities so they can be mitigated, normally through vendor supplied patches.
Penetration testing takes the vulnerability assessment to the next level. One of the initial phases performed by a penetration tester is to perform a vulnerability scan to do information gathering like get IP addresses, device type, operating systems, services running and vulnerabilities present on the systems, however unlike the vulnerability scan, the penetration tester does not stop there. The next phase of a penetration test is exploitation which takes advantage of the vulnerabilities identified in the system to escalate privileges to gain control of the network or to steal sensitive data from the system. The exploitation phase also uses automated tools which the penetration tester can configure to execute automate exploits against the systems. However, one key difference between penetration testers is their ability to also perform manual exploits of the system.
Although Vulnerability assessment and Penetration testing has different goals,but both should be performed to improve the overall security of the information system by a skilled information security professional.The penetration test should be performed at least annually and after significant changes in the information systems environment to identify exploitable vulnerabilities in the environment that may give a hacker unauthorized access to the system while the vulnerability assessment should be performed regularly to identify and mitigate known vulnerabilities on an ongoing basis.
I found difference list between Penetration testing and vulnerability scan by Berkeley Security quite interesting, so sharing that with all of you.
Vulnerability Scan |
Penetration Test |
|
How often to run |
Continuously, especially after new equipment is loaded |
Once a year |
Reports |
Comprehensive baseline of what vulnerabilities exist and changes from the last report |
Short and to the point, identifies what data was actually compromised |
Metrics |
Lists known software vulnerabilities that may be exploited |
Discovers unknown and exploitable exposures to normal business processes |
Performed by |
In house staff, increases expertise and knowledge of normal security profile |
Independent outside service |
Required in regulations |
FFIEC; GLBA; PCI DSS |
FFIEC; GLBA; PCI DSS |
Expense |
Low to moderate: about $1200 / yr + staff time |
High: about $5,000 per year outside consultancy |
Value |
Detective control, used to detect when equipment is/could be compromised |
Preventative control used to reduce exposure |
That’s all about difference between penetration testing and vulnerability scan. So we can conclude that vulnerability scan is basically first phase of Penetration testing. Keep Learning and Keep Connected.
Refreneces :
1. Berkeley Security, University of California
2. A-lign – Ask A-lign
tapan deka says
hack
Lokesh Singh says
Testing new settings.