Penetration Testing versus Vulnerability Scanning

By balaji

June 19, 2010

Penetration Testing

Penetration Testing is usually referred to testing by an ethical hacker to break into a target network with limited information about the said network. It is also called a network (layer) penetration test or a black box test. It requires the bare minimum information about the targets, usually just the IP addresses of the systems to be tested. The testing is performed using a penetration testing tool kit which comprises of well over 25 custom, commercial and open source tools. The testing, though leverages tools, has a very high involvement of a well trained and experienced security tester. The results of a penetration test will usually be free of false positives and on request the tester will also conduct exploits and chained exploits on the target systems. Variations include conducting the penetration testing on internal networks; between inter connected LANS and VLANS, on wireless networks, and penetration through social engineering techniques. Penetration Testing plays an important role in securing enterprises by verifying the efficacy of existing security programs and mimicking real world network and application layer attacks to your systems.

Vulnerability Scanning

Vulnerability scanning is usually referred to running an automated vulnerability scanner against a block of IP addresses. The manual component is limited to the coordination and scheduling of the scanner and delivery of the automated report. The reports are very detailed and long, but are not free of false positives. The extent of false positives would depend on the accuracy of the selected vulnerability scanner. The scanning process is very quick and generally can be conducted at a pretty low cost. The scanners are sold as perpetual licenses and on subscription in a software-as-a-service model. Vulnerability Scanners play an important role in securing organizations as a key component of security vulnerability management programs.

  Penetration Testing Vulnerability Scanning
Goal Use Penetration Testing to verify if networks are secure, what does a hacker see, discover unknown security flaws. Do quarterly or at least annually. Implement Vulnerability Scanning as part of an overall vulnerability management program. Do monthly or at least quarterly.
Tool Types Used Automated Scanners, Proprietary Tools, Exploit tools Automated Vulnerability Scanner
Manual Component Extensive Negligible
False Positives Removed Present
Exploitation Yes, on request No
Chained Exploits Yes, on request No
Duration Days to Weeks Hours to Days
Cost $1000-$2500 per day $10-$30 per IP
Flexibility to Client Needs High Low
Recommended by Regulators Yes Yes

Tags: Uncategorized