We get questions regarding the difference between a vulnerability scan and a penetration test relatively often! We’re going to outline a high-level overview of each and what their differences are.
A vulnerability scan, vuln scan for short, is an automated process that looks for known vulnerabilities in your environment. A computer is plugged into the environment and scans workstations, servers and networking equipment for:
- General security issues
- Necessary patches
- Weak encryption algorithms
Sometimes a vuln scan can identify some root causes to why those vulnerabilities exist so they can be addressed. We then run a report of the issues found and what you can do to fix those issues.
A penetration test, or pen test, is an offensive manual process and has larger scopes than a vuln scan. A pen tester will attempt to access systems and information using tools that a hacker would use. It’s like paying a good guy to see how far a bad guy can get into your environment. For example, a pen test is looking for human mistakes like:
- A document on a file share with usernames and passwords that everyone has read permissions to, making it easy for a hacker to access your systems.
- Weak password settings like easy to guess passwords (ex. Summer2020) or password reuse that gives the tester access to systems with sensitive information.
- A misconfigured service that is exposed to the internet that can be exploited making it possible to gain access.
- Users that engage with phishing attempts and what information they disclose.
The goal of a pen test is to see where holes in your environment are, how the tester was able to get there, and how you can block real hackers from penetrating your environment.
Both vuln scans and pen tests are important to perform regularly and will shed light on where improvement is needed in order to avoid a costly breach! A pen test should be performed on an annual basis and a vuln scan should be performed quarterly, at the very least.
Stay safe out there!
Learn how BlueOrange Compliance can help you protect your organization and the people you serve by calling 855.500.6272, or request a free consult.