Is Penetration Testing and Vulnerability Scans The Same Thing?

In the IT Security industry, technicians are prone to throwing around the phrases; Vulnerability Scans and Penetration Testing or Pen Test, and not realizing we might be confusing the public. So much so, we’ve made it far easier for any CEO or business owner to misunderstand or get confused about;

  • each security protection’s specific definitions,
  • their distinct design differences,
  • and what the results will show when they hear those phrases.

To remove any doubt or confusion and give you clear and specific guidelines, we will:

  • cover each phrase
  • their particular functions
  • popular scanning and testing tools
  • who conducts scans and testing
  • and what to be on the lookout for

What Is A Vulnerability Scan?

A vulnerability scan is looking for weak points or poorly built sections, along with weaknesses in the computer systems, networks, and applications. The vulnerability scanner action is accomplished using a computer program, created to look for those weaknesses and report the findings.

There are two categories of vulnerability scans; Authenticated and Unauthenticated scans.

  • Authenticated scans (as an authorized user) permits the scanner to tap into your network-based assets; data, device, or any element that is part of that particular network’s framework, that supports information related activities.
  • Unauthenticated scans (as an unauthorized user) is a method for examining your network for other vulnerabilities without having to log in as an authorized user.

Vulnerability scans for both Authenticated and Unauthenticated are designed to find known and unknown weak points or poorly built systems, software and hardware configurations. What the new scanning results find are reported back to the organization for their review, and then they can now move forward addressing each weakness.

Who Uses Vulnerability Scanning Tools?

There are two users groups using vulnerability scans:

  • Inside the company – An individual, network administrator, or the IT Security vendor.
  • Outside the company – Hired IT Security Firm, Hired Third-party vendors, or Hackers.

What is a Vulnerability Scanning Tool?

A computer software program, which can be purchased off the shelf or from a reseller, and labeled as vulnerability scanning tools. Popular scanning tools are:

  • Comodo HackerProof
  • OpenVAS
  • Nexpose Community
  • Nikto
  • Tripwire IP360
  • Wireshark
  • Aircrack
  • Nessus Professional
  • Retina CS Community
  • Microsoft Baseline Security Analyzer (MBSA)

A note about any scanning software program: Each software program listed or not listed above has their pros and cons. Along with your research, speaking with a Vulnerability Scanning Specialist, like the staff at Centerpoint IT, are always available to answer any vulnerability scanning questions you may have.

What Is A Penetration Test or Pen Test?

A penetration test also referred to throughout the IT industry as a “pen test” is an authorized simulated attack on a computer network, server or website. The pen test action is accomplished using scanning and attacking tools, created to look for those weaknesses and then exploit them. It’s commonly referred to as “ethical hacking techniques” and “white hat hacking.”

Note: penetration testing is not the same as vulnerability testing. Vulnerability testing intends to identify the potential problems, whereas pen-testing is going to find and then attack those problems.

There are two categories of penetration testing, Internal and External penetration tests.

  • Internal Penetration Test goes beyond vulnerability assessment. Once it finds the vulnerabilities, then it exploits and attacks them. It is designed to find out what internal information, if any, is exposed.
  • External Penetration Test again goes beyond vulnerability assessment. Once it finds the vulnerabilities, then it exploits and attacks them. It is designed to discover what information, if any, has become exposed to the outside world.

Ethical hacking for both Internal and External Penetration Testing are designed to mimic an actual attack. Each test thoroughly examines internal and external IT systems for any weakness. What the tester finds and reports back to the organization, they can now move forward addressing each failing.

Who Uses Penetration Testing Tools?

Penetration Testing firms are hired to hack into a website, a network or a server. They are known as:

  • Testers
  • Network Specialists
  • Security Consultants

What is a Penetration Testing Tool?

It is a scanner and attacker software and tools, for scanning and attacking weak spots. Commercial pen test tools are:

  • Netsparker
  • Acunetix
  • Metasploit
  • Wireshark
  • w3af
  • Kali Linux
  • Nessus
  • Burpsuite
  • Cain & Abel
  • Zed Attack

A note about any pen-test tools: Each tool listed or not listed above has their pros and cons. Along with your research, speaking with a Penetration Testing Specialist, like the ones at Centerpoint IT, are always available to answer any penetration testing questions you may have.

Be On The Lookout For This

When researching penetration testing and vulnerability scanning services and testers, please perform your due diligence and be on the lookout. There are some companies, which will offer and charge you for penetration testing. However, they are only providing vulnerability scanning. They will bundle the scanning, the results, and then sell it as penetration testing.

As you’ve read above, you now know there is a distinct difference between penetration testing and vulnerability scanning, their different functions, software and tools used, who performs scans and testing, what to be on the lookout for, but if you are still not sure, then call us. We are here to help you.

Interested in more security articles like this one? Check out these three: Educating Employees On Cyber Security, Ransomware a Growing and Destructive Threat, Security The Biggest Challenge For Companies or visit our blog.

Category: Atlanta IT Service Articles, Date: 28th June 2018, Author: Chris Chao

Know Someone Suffering From Bad Tech?

Centerpoint IT Wants To Help.