Vulnerability Scanning vs Penetration Testing. What’s the difference?
In the world of information security, just like a business, we want to avoid risks. So what are these risks? To understand what a risk is, we first need to understand the concept of vulnerability. A vulnerability is a weakness or a gap in the system, and if exploited by a malicious actor, could help them gain unauthorized access and compromise the system. So, a risk is the potential of a threat that could compromise or take advantage of or exploit a vulnerability resulting in some loss.
In information security, we want to mitigate or lessen the effectiveness of a threat against vulnerabilities. In such a case, we usually would set up countermeasures that do not eliminate the threat; instead, they get rid of the likelihood of that threat being effective against that vulnerability. One of the primary tasks to building a solid and robust fortress of security around the information systems is to identify the different vulnerabilities within the systems. These could range from misconfigurations that allow access without any controls in place, such as a technical control for an incorrect login for users allowing anyone to log in and gain access to the system, insecure connections between elements, inferior or substandard backup, and recovery, inadequate end-point security, etc. Any of these could be leveraged by an attacker to gain access to the system.
To remediate this as an organization or even as a user who may be running a service, such as a website on the internet, one could do periodic vulnerability scanning. One of my favorite vulnerability scanners is NIKTO and is used via a command-line interface (CLI) on Linux. Another one that would give you more information in a graphical user interface format (GUI) is NESSUS.
With a Nessus vulnerability scan, you could perform a credentialed or a non credentialed scan. A credentialed scan running Nessus allows you to connect to the devices in the system and log in. Doing such a scan gives the administrator more opportunity to be accurate in the findings and find additional information instead of just finding some open ports. Furthermore, if we did not have the credentials to log in, that would be a non credentialed scan. A vulnerability scan aims to be a detective to find out and discover as many loopholes, flaws, and cracks in the system that could be exploited. One of the key elements is that a vulnerability scan is a passive scan, which means this will not inject malicious software into your system. This is primarily focused on reconnaissance and information gathering. Just because this is a passive scan does not mean you are allowed to go ahead and scan any network you want. Before scanning, you would want to make sure you have the proper authorization to scan the networks of any system, especially a corporate network. Performing an activity like this without the proper authorization would be considered aggressive, against a policy, and 8/10 times would trigger some alert within the system.
On the opposite side, we have Penetration Testing, which is intended to harm. A penetration test is going to perform active attacks on the system. In terms of stature, a vulnerability scan is a warm-up before you exploit a system. The primary goal of a penetration test is for an organization to know whether its security controls can be bypassed. They want to find out before the real malicious attackers find a way to exploit a vulnerability within the system.
In terms of penetration tests, we want to actively test security controls to verify they are secure and no one can gain unauthorized access and mitigate risk.
A standard process for a penetration test would look like this :
Information Gathering → Reconnaissance → Gaining Access(Initial Compromise) → Persistence → Privilege Escalation → Exploitation → Exfiltration
So if the countermeasures are not doing their job, a vulnerability can be exploited and taken advantage of. This gives an organization an insight as to what components in a system are insecure by XYZ methods and where one should invest their money in areas to improve and secure the overall infrastructure of the system. A penetration testing tool that I have used is known as Metasploit. This is a compelling web exploitation framework (CLI) developed by Rapid7 and can exploit and test a wide range of systems and machines. Metasploit can also be used to validate an organization's defense after a patch is applied to the system. After completing a penetration test, a report is created for all the tools, tactics, & techniques used to exploit the system, which is crucial as documenting your process and findings is essential.
