Industry Updates

Vulnerability Scanning vs. Penetration Testing: What’s the difference and what do you need?

egg and hammer vulnerability scan vs penetration testing
Pixabay|StevePB

MSPs approach us frequently requesting a penetration test for themselves or a new client. Most often though, we determine that they don’t want a penetration test at all. They really need a vulnerability scan. What’s the difference and how do we help our clients see the light?

Passive vs. Offensive – Vulnerability Scan vs. Penetration Test

You can sum up the difference in these two tools in two words: passive vs. offensive. A vulnerability scan is a passive scan of the environment deployed through automation. Penetration testing is a very active test utilizing an ethical hacker and all the tools in his/her toolkit.

Vulnerability Scanning

Vulnerability scanning is a passive test to determine where there might be holes in your network.  Automated tools will identify poor infrastructure configuration and code gaps in existing software deployments. These holes could be exploited by bad actors using any number of threat vectors.

Think of these scans as a burglar casing their target looking for potentially unlocked doors, areas hidden from security cameras, remote window access, anything that will allow them to reach their target undetected. These types of tests are valuable against known threat vectors. They create a to-do list to harden your infrastructure, which, when implemented, will make your client more secure.

Penetration Testing

A penetration test, on the other hand, actively tries to poke holes in your network to mimic how a bad actor could work to break through and cause havoc. A “white-hat hacker” or “ethical hacker” traditionally performs this type of test. Outcomes include a report ranking exploitable risks present in your environment, as well as what data a breach would likely compromise.

Continuing the burglary analogy, penetration testing goes beyond passive casing into full blown attempted robbery, using identified vulnerabilities to break-through and see what damage could be done if bad actors were the ones attempting to penetrate. This is an offensive strategy that will clearly indicate where your network has holes.

Are Vulnerability Scans Valuable?

We absolutely recommend running vulnerability scans as a scorecard for your and your clients’ networks because these tests identify, in a safe way, exploitable portions of your network. Ideally, you’ll run a vulnerability scan as soon as a client comes on board, fix gaps, then re-run the scan on a quarterly basis to stay on top of things.

When is Penetration Testing Necessary?

Perform these tests less frequently . You should conduct a penetration test at least once a year or after installing and stabilizing any new equipment. Sometimes, compliance standards require more testing. This gives a more comprehensive picture of risk exposure and gives a visual into how malicious entities are likely to attempt attack.

Are Vulnerability Scans or Penetration Tests Enough?

According to the Ponemon Institute, 80% of successful breaches come from zero-day attacks. While these tests will harden your infrastructure to a point and are an important barometer for ongoing security posture, they will do precious little against these zero-day vulnerabilities. These systems simply cannot scan for something that is completely unknown.

Protection against zero-day attacks requires advanced endpoint protection, like BLOKWORX MAED service because this tool goes beyond traditional anti-virus. Traditional anti-virus utilizes machine learning. Machine learning uses a small set of data about known threats paired with a human-created predictive model in an effort to identify threats. The problem with this is that they most often miss first-seen and zero-day threats.

Instead, deep learning solutions, like the one that powers our MAED service, uses raw data on known threats and benign false alerts to create constantly learning AI. This model, then, learns to identify threats, prevent zero-day attacks, and creates autonomous security with minimal effort.

What should you do next?

In addition to regular scans, you must deploy this prevention-centric service to further protect the entire threat landscape. Contact BLOKWORX to get started.