We heard recently that an upstart, local IT company was offering “free penetration tests” as a way of luring new prospects.
A free pen test? Doubtful.
I’ll explain why while also clarifying the benefits of, and differences between, pen tests and vulnerability scanning.
A vulnerability scan is a systematic process used to identify security weaknesses within a computer system, network, application or infrastructure. The purpose of a vulnerability scan is to proactively discover potential security issues before malicious actors can exploit them. By identifying vulnerabilities early, organizations can take necessary steps to mitigate risks, enhance their security posture and prevent potential cyberattacks.
Key Aspects of a Vulnerability Scan Include
Identification of Weak Points: vulnerability scans examine various components of a system, such as software, operating systems, configurations, and network devices, to identify known security vulnerabilities or misconfigurations.
Automated Assessment: vulnerability scans are typically automated processes that use specialized software tools to perform scans. These tools compare the system’s characteristics with a database of known vulnerabilities and issues.
Risk Prioritization: once vulnerabilities are identified, they are often ranked or categorized based on their severity. This helps organizations prioritize which vulnerabilities need immediate attention, based on the potential impact they could have if exploited.
Frequency: vulnerability scans can be performed on a regular basis as part of ongoing security practices. They can also be conducted following significant system changes or updates to ensure that new vulnerabilities have not been introduced.
Compliance and Regulations: many industries have regulatory requirements that mandate periodic vulnerability assessments to ensure data security and compliance.
Report Generation: after completing the scan, the vulnerability assessment tool generates a detailed report that lists the vulnerabilities detected, their severity, and recommended actions for mitigation.
Now, if I were to list the benefits of a penetration test, most of the benefits outlined above would look the same. So, what’s the difference between the two?
The Human Element
Unlike vulnerability scans, which are automated, meaningful penetration tests involve a trained technician actively attempting to exploit vulnerabilities. Only this sort of hands-on work can exploit multiple small vulnerabilities in combination with one another to fully determine damage a hacker might cause. Vulnerability scans uncover individual gaps, while manual penetration testing of those gaps can provide the deepest and most practical suggestions for improving security.
One small vulnerability by itself may not provide a full gateway into your network. But perhaps a series of two or three seemingly small gaps could allow a malicious actor to gain entry; only when a live, ethical hacker tries to exploit those individual vulnerabilities in combination with each other will you have a full, real-world sense of your security posture.
After gaining entry, a certified ethical hacker, often a technician, may not be done. Can a tester covertly elevate their permissions to access and steal highly sensitive data meant for corporate leaders only?
Or, can that hacker live in your network unnoticed? This is how attackers learn how to re-route email messages, make realistic-looking payment requests from clients to wrong bank accounts and more. Persistence, as we call it, is the primary goal of today’s hacker – and something a live pen tester can imitate.
After all of this, in no way am I minimizing the importance of regular vulnerability scanning. Because they’re automated and less costly, vulnerability scanning can be done on a more regular basis. By spotting and addressing vulnerabilities via such scans, organizations can significantly reduce the risk of a security breach. Most pen tests, in fact, begin with a vulnerability scan.
But because a pen test requires manual work by a skilled engineer – often many hours – such testing can be very expensive, quickly reaching $20-$30,000 or more.
…which is why I said at the outset it is highly unlikely this IT startup is offering true penetration testing for no charge.
Hopefully, this post will help you ask some good questions if anyone pings you with such an offer!