While both penetration testing and vulnerability scans are beneficial, they are not interchangeable, and both serve specific purposes. We often start compliance or security engagements by explaining to a client why the vulnerability testing they have performed is simply not enough; especially if they need to meet specific regulatory requirements.
Vulnerability scans look for known weaknesses in the systems that are included in the scope, and will provide a report of exposures and the associated level of risk for each confirmed vulnerability. Scans may be run by internal resources as well as an outside firm to detect newly identified exploits and remediate them before an outsider finds them.
Although these scan types provide a tremendous amount of knowledge about the potential issues on a system, the concept is somewhat flawed in that the vulnerability scans are based on a national database of “known” vulnerabilities and do not take into account the data gathering process performed through human interpretation – which combined with said vulnerabilities can escalate access to an organization’s systems like a properly executed penetration test would uncover.
Penetration testing (or pen testing) is a simulation of an internal or external attack with the intention of gaining unauthorized access to systems and the data stored within the network.
“White box” testing uses information that can help the tester find vulnerabilities, such as a previous test or audit report and typically consists of various levels of “authorized” access and knowledge to the systems within an organization.
“Black box” testing is performed with no more outside knowledge than an actual attacker could find by using internet searches, information from social media, and access to the test site via the Internet. In both scenarios a combination of discovery methods are used to uncover viable company information and assets. This testing also often consists of social engineering techniques like phishing emails to trick staff into sharing their login and password credentials, walking into the physical location and attempting to join the network or observing staff behavior to look for weaknesses that could be exploited (laptops not being secured that could be stolen, server room doors being left propped open for deliveries, etc.).
So which one is the best fit for your organization? If you fall under compliance requirements such as HIPAA, PCI DSS, GLBA, or FFIEC, you are required to perform both (typically monthly or quarterly vulnerability scans and annual pen testing). If your goal is to make sure you are patching known exploits, you can start with a vulnerability scan. Pen testing takes it to the next level by adding the human component and is the right choice if you want a true understanding of where your network’s weak points are – including your staff, and a prioritized list of recommendations to improve your overall security posture.