Vulnerability Assessment and Penetration Testing Difference

Penetration Testing Vs Vulnerability Scanning:

At times, I have seen testers and business owners getting mistaken to understand the basic idea behind penetration test and vulnerability scan.

They both are often confused as the same services. When the business is unable to decide whether to go for penetration test or vulnerability test. Is penetration testing same as vulnerability testing or are they different? If they are different then are they related? Which one to choose – Penetration test or Vulnerability test?

We will try to find out the answers to all the above questions in this tutorial.

Penetration Test Vs Vulnerability Scan

Introduction

To begin with, I would like you to read five sentences:

  • Bananas grow on a Tree.
  • A normal human being uses only 10% of his brain.
  • Cracking your knuckles causes arthritis in old age.
  • Bats are blind.
  • Penetration testing is same as that of Vulnerability scan.

Can you guess one common thing among all the above statements? They all are Myths. Yes, that’s right. They all are indeed myths.

However, in this tutorial of ours, we are bothered neither about the Bananas nor the Bats. All we care is about Penetration testing being compared to the Vulnerability scan. To know more about the comparison or to prove that the statement is a myth, we will first analyze Penetration testing and Vulnerability scan separately.

Penetration Testing Intro

A Penetration test is also known as “Pen Test” in short. This kind of test is done to a system to find a way into the system. This may expose the important data that is stored by the system to the outside world.

In general, the penetration testing target can be of White box type or Black box type.

Black Box Penetration Testing:

Typically, the tester is not provided with any details of the system except the name. This is very similar to real life hacks where the hacker is not aware of anything else other than the name of the application.

Black box testing replicates the real-life conditions and is not time-consuming. However, because of unknown areas related to source code and infrastructure, there is always a possibility of missed out portions of the system.

White Box Penetration Testing:

In this process, all the necessary data related to the system which has to undergo penetration testing is provided to the Tester.

The data can be network architecture, system configurations, source codes etc. This is a lengthier process than that of Black Box type Pen testing. This is a thorough process and has a deeper coverage when compared to the Black box type.

Pen testing is always performed with the permission/request from the client. Performing Pen testing on a site without the owner’s consent is illegal and can be termed as Hacking.

By now, we know what penetration testing is, and it’s time to know the reason why organizations opt for it. It is said, better to be safe than sorry. Pen testing makes an architecture stronger and resistant to attacks.

Vulnerability Scan Intro

A vulnerability scan is used to find out the vulnerabilities/weakness in a system. This task is performed by running an application [called as the vulnerability scanner] on the target computer. These applications or scanners can be executed directly on the target computer or from a network location.

Network location comes into picture for bigger organizations whereas it is not feasible to execute the scanner on the local computers all the time.

Now, How do you know which scanner can work for your application? The answer is pretty simple. That is, the Vulnerability scanners hardly use the system details/parameters while scanning.

All they need is the IP of the system. With the IP alone, a vulnerability scanner can find out the potential places where an attack can be performed on the system.

There are situations where a company has Intranet and not all the computers are exposed to the internet world. In that case, the vulnerability scanner has to be run from within the Intranet by which the scanning for both internal vulnerabilities as well as the external vulnerabilities can be caught.

Once a test/scanning is completed, the scanner helps in getting a report displaying all the possible vulnerabilities. The report generated has various data related to the vulnerabilities in it.

The data ranges from, the server statistics [based on vulnerability index], the status of different services running on different servers, the status of the vulnerabilities found based on their severity level.

Once a report is generated, it has to be analyzed to find out the real situation. Not all the time, the vulnerabilities found are that serious. There might be cases, where the scanner will pull the name just because the data which was expected doesn’t match the output. But, that may not be a true vulnerability after all.

That is the reason why further analysis has to be done on a vulnerability scan report to find out if the vulnerability found is a right one or not.

Penetration Testing Vs Vulnerability Scanning

We now know what a Penetration testing process is and what vulnerability scanning is.

Now proceeding with a head-head clash between the two giants would be a fun-filled one.

Penetration Testing Vs Vulnerability Scanning

Example:

We shall get into a real-life example to understand the difference between the two.

Let’s take Mr. X for an example. Mr. X is a heist specialist. We shall observe his plan for his next heist. He is planning to rob a Bank present in the middle of the city.

The Bank building is surrounded by a Police station, a Fire station, a Public Park [which stays closed at night] and a Pond. The bank building is a 20 floored building with a helipad on the top of it. Before he actually robs the bank, he needs to find the possible entry points into the Bank building.

The sides of the building that has a Police station and Fire station are impossible to breach. They operate 24X7 and who would dare to rob a bank using Cop’s den as the entry point! That leaves Mr. X with 3 other options. Yes, you got it right. He is also having the Roof as an Entry point [Remember Heath Ledger from the Batman Trilogy?].

The Rooftop seems to be an odd choice here as the building is only 20 floored and the chances of getting caught from people around you is very high. And, the Bank is the only single high rise building standing in the area. So, that makes the Roof entry a big NO! With the two leftover options, Mr. X starts analyzing the Lake as an entry point.

Lake can be a good mode of entry but, the visibility would be a concern. How would someone react if they see someone swimming at the midnight, that too towards the Bank building? The last option is the Public Park.

Let’s analyze the park in detail. It is closed to the public after six in the evening. Park has a lot of trees which gives the necessary shadow and supports for stealth mode. The park has a boundary wall which is shared with the Bank premises.

Now, all the analysis above can be said as Vulnerability scan. A scanner does all these things. To find out a vulnerable position to get in.


Going back to our story, let’s assume that Mr. X becomes successful in entering the bank through the Public park entry point. What does he do next? Whether he breaks into the Vault to get the cash or the deposit lockers to get the valuables.

This part is the Penetration testing. You get the access and try to exploit the system. You get to know the depth that you can go with this attack.

Note: No banks were robbed while writing this tutorial. And, it is also not advisable to follow the footsteps of Mr. X.

I am leaving you with the below comparison chart so that you can get more clarity on the difference between the two.

Comparison

Is Vulnerability Scan & Penetration Testing Related to each other?

Yes, Vulnerability scan and penetration testing are related to each other. Penetration testing has a dependency over the vulnerability scan.

To initiate Penetration testing, a complete vulnerability scan is done so that the tester gets to know any vulnerabilities that are present in the system and then exploit them.

So, with vulnerability scan, we get to know the possible vulnerabilities but these vulnerabilities are unexploited till this point. It is penetration testing that confirms the extent up to which the vulnerability is possible to be exploited.

They also intersect with each other at certain points as shown in the below image:

Vulnerbility Assessment and Penetration Testing

Which one to Choose – Pen Test or Vulnerability Scan?

Having understood the difference between the both, now the question arises as – which one to choose?

Well, the goal of vulnerability scan is to find out the weaknesses of your system and fix them. Whereas, the goal of penetration testing is to find if someone can break your system and if yes, then what will be the depth of attack & how much meaningful data can they obtain.

Together, vulnerability scan & pen test can tell you what is at risk and how it can be fixed. The aim is to improve the overall security of your system. You need to choose between the two depending on the criticality of your business. If you go for a pen test, then it covers vulnerability scan as well.

However, pen test is very costly (around $4,000 to $20,000) and a time consuming one as well compared to vulnerability scan. The reason being it brings very accurate and thorough results and it eliminates false positive vulnerabilities.

Meanwhile, vulnerability scan is very quick and far cheaper (nearly $100 per IP, per year, depending on the vendor) than pen test. As an organization, you can go for vulnerability scan on a monthly, quarterly or even weekly basis. And, opt for pen test annually.

Most Popular Tools

Some of the commonly used tools for Vulnerability Scanning include:

  • Nessus
  • Nikto
  • SAINT
  • OpenVAS, etc.

Commonly used tools for Pen Test include:

  • Qualys
  • Core Impact
  • Metasploit etc.

Pen testers also write their own exploit code as per the requirement.

Conclusion

From this tutorial, we realize that both Pen Test and Vulnerability Scan are entirely two different activities that are performed to make the application safer from attacks. They can also be used together if required.

Vulnerability test identifies the possible loopholes and Pen test exploits these loopholes to uncover the extent of damage/theft that can happen to the business-critical information. They are done to fix the loopholes and avoid any potential attacks and security breaches to the information system.

Further Reading