Vulnerability Scan vs Penetration Test

I still talk with people in the security industry that confuse a vulnerability scan with a penetration test.  These are very different yet complimentary tools.

A vulnerability scan can be run against your external IP range, as well as your internal IP range.  If you run it against your external IP range you will see what the hackers see when they look at your network from the outside.  If there are any known vulnerabilities, the scanner should pick it up and report it to you.  This would be the first step in getting your network more secure.

You can also run an internal vulnerability scan.  This scan is the same as the external scan, but with the option to run it authenticated; meaning you can run it as a user or an administrator.  This can be very helpful in determining if any software has vulnerabilities.  For example, it would notice an out of date Firefox or SQL version.  This can be extremely helpful in remediating vulnerabilities in your environment.  Most companies expect the firewall to block everything, but if something does get through your firewall, your internal network must be secure enough to keep them from gaining a foothold.  It used to be that people would run vulnerability scans once a year.  Now, I recommend nightly.  Vulnerabilities are constantly being found, and if you let one go for a year, then the chance of your environment being compromised is high.

After all this work, why would you want a penetration test?  When you do this type of test, you hire a human to actively try to break into your network.  They are testing to see if what you did to harden your network has actually worked. They also might be able to get into your network through an undisclosed vulnerability or combining a few different vulnerabilities together, which is something a vulnerability scanner can’t do.  This allows you to understand the holes in your network and make it more secure. By utilizing both of these tools you can harden your network and test to make sure that what you are doing is actually working.  Nothing is perfect, but if you make it hard enough you have a better chance of staying secure.