Is penetration testing more effective than vulnerability scanning? Yes

Companies are struggling to keep up with a barrage of network security nightmares, including viruses, worms and hacker attacks. This makes it more difficult to protect core assets, such as sensitive personnel information, customers’ credit card numbers and intellectual property. There are frequent reports of supposedly secure networks failing, resulting in lost revenue and damaged reputations.

The opposing viewpoint

To combat these increasing threats, network administrators must choose from a host of products, services and practices. Two common solutions are penetration testing and vulnerability scanning. These solutions are often lumped together, but there are significant differences between them. Vulnerability scans identify potential problems based on an evaluation of a network’s defenses and known vulnerabilities. Penetration testing reveals more information about a network by actively attacking a system, probing all defenses and revealing real, not theoretical, vulnerabilities.

Both methods have an important role in testing network security. At Core Security Technologies, we recognize the importance of vulnerability scanning, use it in our consulting practice and partner with several companies that provide this technology. But while vulnerability scanning is a good first step, it shouldn’t be considered the final step, because it doesn’t answer the fundamental question, “Is my network secure?”

Vulnerability scanning does not address the implications of an intrusion, leaving network administrators to determine if a vulnerability is real or a false positive, if it can be exploited and what risk it poses to a network. Without determining the true threat to a network, administrators must devote resources to patching every vulnerability, often wasting significant time and effort patching systems that may not require it.

A penetration test is an authorized attempt to breach the security defenses of a system using the techniques of hackers, worms and viruses. With a penetration test, you exploit vulnerabilities in your network and try to replicate the kinds of access a hacker could achieve and identify which resources are exposed. The results go far beyond the data yielded by a vulnerability assessment. An administrator is able not only to quickly identify and prioritize real vulnerabilities but also to gain insight into the effectiveness of other security measures in place.

Some proponents of vulnerability scans say running a penetration test puts a network service at risk for downtime and using exploits could compromise the network’s integrity. However, with a commercial-grade automated product, penetration testing can be conducted in a safe manner and poses less risk than most vulnerability scanners.

Vulnerability scanning is an excellent first step for a penetration test, but it’s important to go further. Without running a penetration test, network administrators cannot be certain that their networks can withstand an attack. A penetration test can identify and eliminate real paths of attack.

Paget is CEO of Core Security Technologies. He can be reached at paul.paget@coresecurity.com.