When shopping for security for your networks, several web application terms get thrown around. Due to this, non-technical people such as CEO’s and management may not understand these terms and may make the wrong purchase. When thinking about your digital security, you may think that by having an anti-virus system, a top-end firewall or even some type of “next-gen AI-driven by Dark Blockchain military-level defence system” you are secure and never look at security again. While this in some situations is a start to good digital security, it is not in most cases enough to stop your company being hacked. In this blog, I will be talking about the differences between a vulnerability assessment and a penetration test.
First, what is a vulnerability assessment?
A vulnerability assessment is where a company can use a pre-purchased or free tool such as Nessus, OpenVAS, Nexpose or many others to run a scan against their network or application to find known vulnerabilities and security holes. If they do not own one of these tools or are required by different compliance bodies, they may hire a third-party company to perform this on their systems. This can be done in a range of ways from:
- External-facing scan where the company is assessing risk for external parties looking to attack from the internet.
- Black box internal network where the assessor will plug into the network as if they are a hacker who’s broken into the building and has no further information.
- Authenticated internal network where the assessor has access to all systems and their admin passwords to perform in-depth scans.
Unfortunately, due to the nature of technology, no two setups are the same. Your company may be using tools and in-house software which a scanner may not recognise so it has no idea what vulnerabilities may be possible.
What is a penetration test?
A penetration test is where a security consultant is hired to take a manual look and attempt to exploit your systems using both vulnerabilities and misconfigurations in your network. While there are many types of penetration test, they can be generalised into a few categories:
- External facing where they attempt to attack the systems facing the internet.
- An application where they target either a specific application such as a website or mobile app.
- An internal network where they can plug into the network in either a white or black-box approach.
A penetration tester will normally run a vulnerability scan themselves to gain insight into the network and find any “low-hanging fruit” such as systems with missing security patches or end-of-life Windows 2003 servers. Then they go further and manually use known hacking techniques against your system to expose real-world vulnerabilities on the set targets they have been assigned in what’s known as the scope.
Now, you may think “why would I not just have a penetration test if a tester runs a vulnerability scan?” Money is the main reason a lot of company directors do not focus on security until they are unfortunately hacked, and they lose business. A vulnerability scanner can cost £2000 a year and be run any day were as a penetration test could cost a business, not just a price of the tester but the man-hours required to have someone be on-call if any issues arise. This may lead to directors just buying a vulnerability scanner or paying a lower price for a vulnerability assessment, once a year, as they come in a range of prices and promise to “protect your systems using [their] tool to find vulnerabilities” and using a trusted scanner in-house is an excellent start to system security but it can be the minimum a company should do.
What are the cons to vulnerability scans and assessments?
Most vulnerability scanners only know common software, operating systems and their patch levels. In the case of web applications, they can only send predefined attack strings and attempt to interpret the response. Vulnerability assessments are only as good as the information they know. This comes from both sides. A good vulnerability scanner would know every version of Linux, Windows and Apple products and all their known security flaws. While most strive to be able to do such a task, they require updates to stay on top of the IT world and all its changes. Your vulnerability scanner may say it can “scan all known firewall vulnerabilities” but, in the real world, it only knows what a Cisco or a Juniper firewall is.
Another key point to this is patches to the scanner itself. Most antivirus systems release updates twice a day with known virus hashes and strings. Most vulnerability scanners do not have this level of upgrade. An update requires a member of staff on the client’s side to be aware of the new vulnerability and ensure it’s added. What if a vulnerability is not made public to them? What if the vulnerability is only made public seconds after the bi-weekly update the scanner receives? What if the scanner has the wrong information to look for a vulnerability? All these issues could lead to the scanner not picking up on serious flaws in your security.
Vulnerability assessment findings can be very impersonal and not give a clear image as to the security flaws in your system. A scanner may say that due to your web server being up to date with no user inputs that is secure, and no issues found while this may be true, but that website could contain sensitive company data such as admin passwords or employee bank details. While the vulnerability scanner has no way of determining if this data is sensitive a hacker could easily visit the page without any known vulnerability.
Vulnerability assessment findings can be very impersonal and not give a clear image as to the security flaws in your system. A scanner may say that due to your web server being up to date with no user inputs that is secure, and no issues found while this may be true, but that website could contain sensitive company data such as admin passwords or employee bank details. While the vulnerability scanner has no way of determining if this data is sensitive, a hacker could easily visit the page without any known vulnerability.
And the advantages to penetration tests?
It’s all about the human approach and understanding how systems work and what is a security risk. That’s why most penetration testers will run some form of vulnerability scan at the start of a penetration test to get all the “crap findings” out of the way so they can concentrate on what scanners don’t see. Another advantage of interacting with humans is you can talk to them, voice your concerns, ask questions and have them ask you questions for a more. You may feel your network has no issue due to your vulnerability scanner saying you’re in the clear, ten minutes talking to a security consultant and they can tell you “your Cisco router is open to the internet with no password”.
If you contract a penetration test, the consultant can quickly see and make judgements on where security may be lacking. A couple of examples; on an internal SMTP server, a vulnerability scanner may be able to try common attacks such as email address enumeration or brute-forcing weak passwords. A penetration tester may see that while SMTP is running, it is possible to send spoofed emails to all internal addresses.
A vulnerability scanner could look at your brand-new Cisco WIFI and LAN setup and think it’s all good. A penetration tester may ask “why is the private network open publicly?” or “from the guest WIFI, why can I connect to the domain controller and make a new account chaining these 3 ‘low risk’ vulnerabilities?”
It is recommended that all companies have some form of vulnerability scanning, network monitoring, firewall and antivirus tools as a ground level of defence and to tick off low-hanging fruit, that is nondebatable. However, that does not replace a real penetration test with a 3rd party critical opinion on your security. If you are not able to have an in-house vulnerability scanner, you can still bring in a 3rd party consultant to perform one for you. This means you can have a quick level of knowledge where your company lies in means of security and you’re able to make a plan of action (but be aware, as this blog states, this is not a real security assessment).
An advantage of having pre-performed vulnerability scans is they can also make penetration tests cheaper. If a consultant were to go into your company blindly unaware of what level of patching your company does, they will need to do more work to find the baseline. If you were to provide up-to-date vulnerability assessment reports which are not full of “missing Microsoft patches”, a tester can use this to pre-plan actions and target real vulnerabilities, making the test quicker or more in-depth depending how you wish to conduct the testing.
Once your company has this is in place you can take security further going into real-life scenarios, such as; phishing assessments, physical testing or, for more prominent companies with security teams, a full-scale red team test where a security consultant acts as a real hacker and has open dialogue to help train your security team never to miss attacks.
This is our comparison and advice when dealing with both penetration tests and vulnerability assessments. If you need any further information on penetration testing or are interested in receiving one for your organization, please feel free to contact us here.
(NOTE: This blog was originally written by Thomas W but, due to some admin issues with the site, I’m unable to credit him. Until we fix this bug, I’d like to attribute credit to him and the time he took to write this detailed and informative blog.)