Vulnerability Scan V Penetration Testing – Why Best of Both is Best
Nearly half of UK businesses fell victim to cyber-attacks or security breaches in 2018, costing each one thousands of pounds.
The 2018 Cyber Security Breaches Survey found 43 per cent of businesses had reported cyber security breaches or attacks during the 12 months prior to the report being published, a figure which rose to as much as 72 per cent among enterprise-level organisations.
The threat of cyber-attack is increasing by the day, and businesses need to be aware it’s quickly becoming a case of ‘when’ not ‘if’ an attack will happen. With awareness of the risk on the rise, it surprises me just how many businesses still confuse vulnerability scanning and penetration testing.
What is Vulnerability Scanning?
Vulnerability Scanning is the act of identifying potential vulnerabilities (known as CVEs) in software such as Microsoft Windows, Apache Web Server and Adobe Acrobat Reader, or in hardware such as firewalls, routers, switches and servers.
As an example of just how damaging up-patched vulnerabilities can be, you only have to Google ‘EternalBlue’. This CVE in Microsoft’s Windows operating system was developed by the US’ NSA, leaked by the Shadowbrokers Hacking Group in 2017, and subsequently used to launch the WannaCry ransomware attack. This devastating global cyber-attack caused 200,000 computers to lock-out users with red-lettered error messages demanding the cryptocurrency Bitcoin, and crippled computers in hospitals across the UK at a cost to the NHS of £92m.
Despite the devastation caused by major cyber-attacks, it is worth pointing out that exploiting vulnerabilities is actually no easy task, and not every vulnerability is open to exploitation. But that doesn’t mean that the risks shouldn’t be taken seriously.
Vulnerability Scanning focuses on finding potential and known vulnerabilities across your entire business network. Scans can be run on any number of assets to ascertain known CVEs, as well as looking at versions of files and behaviours to understand if any part is susceptible to a given CVE. Whilst a typical server may have in excess of 100 CVEs, most are minor and require no immediate action, but scanning ensures your business can then work to eliminate the more serious vulnerabilities affecting your valuable resources.
The business risk of vulnerability scanning is relatively low. It’s a safe exercise, and whilst it can slow things down a little it rarely causes any real impact to your business. Vulnerability scanning is a detective control rather than a preventive measure, hence the need for Penetration Testing as well.
What is Penetration Testing?
Penetration Testing is the act of trying to exploit the CVEs on your systems whilst evading your anti-virus / Intrusion Prevention Systems (IPS) / firewalls etc. It is common to take a vulnerability scan and use the results of this to drive further Penetration Testing.
Penetration Testing requires skill and experience. Many large organisations will have the expertise in-house, but it’s worth noting that some regulations stipulate you must employ independent, external penetration testers.
Penetration testing can operate at application-level, network-level or be specific to a function, department or a number of assets. Prior to any test, a consultant will scope out your requirements from both a technical and business purpose, as well as from a practical implementation perspective – how long will the test take, how high risk is it and so on.
Where potential CVEs are identified, an exploit from one of the exploit frameworks (like Core Impact) will be deployed, essentially meaning that the tester will attempt to get into and install an “agent” on the system. If a pen-tester “gets in” then you have a very serious issue. So, whilst it’s more expensive and risky than Vulnerability Scanning, it’s essential to understanding risks, and certainly costs a lot less than the alternative.
Not an either/or scenario
Both vulnerability scanning and penetration testing feed into a holistic cyber risk analysis process, and are required by standards such as PCI-DSS and ISO. By working in tandem they can reduce risk, but to get the most out of them, it’s very important to know the difference – each is important, and each has a different purpose and outcome.
Vulnerability scanning cannot replace the importance of penetration testing, and penetration testing on its own cannot secure your entire network.
Best of Both
Simply put – it’s not a case of Vulnerability Scanning versus Penetration Testing. It’s all about your “attack surface” – the sum of the different points where an attacker can try to enter data to or extract data from your environment. Keeping your attack surface as small as possible is a basic security measure, and the best way to limit your vulnerability is by deploying both services.
Attacks will only get more sophisticated, as there is big money in bringing down websites, software, applications and internet services, whether it be for purely financial, political or ideological purposes.
S4 Applications can help you understand your attack surface, and provide the tools and experience to help you scan, prioritise, test and remediate vulnerabilities.
What to do first? See our maturity model that explains which products you start with and how to compliment them as your experience grows.
Want to know more about the best pen-test tool on the market?