This is a story to explain the difference between penetration testing vs. vulnerability scanning. Alice met Bob in college when they were freshmen. Although she was madly in love with Bob she maintained her purity for marriage. The two were supposed to wed after they both graduated.
Alice had a knack for paying attention to details that irritated Bob at times. Alice insisted that they both undergo full physicals and blood work. Alice was concerned with any unknown health or potential genetic problems. Even though Bob resisted, he went along with the examinations. The results all came back good–both of them were as fit as a fiddle.
Alice and Bob went out one night and Bob became completely plastered. Although he felt he was fine to drive, Alice took the keys and made sure he got home safely.
Bob’s best friend, Charlie, wants to throw an epic bachelor party. Alice hesitates, but lets her man fly to Las Vegas with all his friends. Bob promises to stay true.
Bob’s friends are having the time of their lives at an amazing private party with several celebrities in attendance. The drinks are absolutely flowing.
After seeing his friends enjoy the night chatting up the ladies, Bob decides he’ll talk to a girl who has been checking him out from a distance to see if he still “has it”. The young woman introduces herself as Eve. Eve and Bob hit it off, and before long Eve asks Bob if he wants to go up to her room.
Bob’s friends overhear the conversation and encourage him break his promise to Alice–besides what happens in Vegas stays in Vegas. Bob eventually caves in to the peer pressure and follows Eve to the elevator and to her room.
They enter Eve’s room and dim the lights. Eve heads to the bathroom to freshen up. When the bathroom door opens back up, to Bob’s surprise, Alice comes out of the bathroom with her cousin Eve.
Vulnerability scanning is the equivalent of Alice taking Bob out drinking to see whether he would stop before his judgment would be impaired. In this case, his drinking vulnerability was shown during their night out.
On a less devious level, vulnerability scanning is also similar to Alice and Bob getting medical examinations. Medical exams are efficient for diagnosing issues on an individual basis. A doctor can diagnose issues with many patients, but most of the time that’s where it stops. This is very beneficial to diagnose and use preventive treatment (countermeasures) to defeat or mitigate conditions. Similarly, vulnerability scans are useful to find vulnerabilities and triage for patch management.
Even though vulnerability scans can’t necessarily give you a good measurement of your true defense in depth posture, you can infer certain things. This is similar to genetics where we predict probability based on genetics. For example, I have sickle cell trait and if my wife had it as well there would be a 25% chance of our child having Sickle Cell Disease.
In network segments if one machine has a high vulnerability discovered in a vulnerability scan, the chances are high that other machines reachable from that machine could be compromised.
Every organization should have vulnerability scanning capability internally. I don’t care if you don’t have a security team, IT teams should know how to run vulnerability and web application scanners.
Penetration testing is the equivalent of Alice’s use of Eve to test Bob’s loyalty.
There were a lot of contributing factors to Eve carrying out a successful “adversary simulation.”
An adversary simulation is exactly what penetration test should be. Penetration testing normally does include vulnerability and web application scanning. The difference is: defenders use them to find and mitigate issues, and attackers use them to compromise the organization.
A vulnerability scan alone should never be confused with a penetration test. Everyone should understand the difference between penetration testing vs. vulnerability scanning before they engage with a vendor. Many organizations have worked with penetration testers and firms that simply deliver vulnerability scan as the final deliverable. Why should you pay consultants for vulnerability scans when you can do them yourself?
A Few More Thoughts on Penetration Testing
Hire Someone You Trust
In our story, Alice enlisted her cousin Eve as the threat agent in her operation. It’s so crucial that you select the right people to perform penetration tests. Alice knew she could trust Eve because she was family. Pick the people who are most likely to remain loyal to you and your organization.
Social Engineering & Trust
Penetration tests use social engineering and trust to compromise victims. In our story we see that real friends give bad advice. In real life, friends will send you malware thinking that it’s a cute clip of kitten. Fake friends and imposters will send your personnel the same malware disguised as the same kitten.
A penetration tester’s activities are often limited by the scope of the contractually defined engagement. You need to make sure you hire consultants and internal penetration testers with a reputation for obeying the terms their engagement vs. cowboys. You don’t need people attacking like they are a cowboy in the Wild West on your network.
The Weakest Link
As in the story above, compromises usually involve chaining together a series of flaws. Alice’s “vulnerability scan” early on, which disclosed Bob’s alcohol consumption vulnerability, led to the successful adversary simulation using Eve. In security, penetration testing is able to test the effectiveness of an organization’s procedures, products, and personnel. Adversaries strive on finding, then exploiting the weakest links and chaining a series of exploits to reach their end goal. And now you know the difference between penetration testing vs. vulnerability scanning.
About the Author
Marcus is founder & CTO of vThreat, Inc. Marcus is a hacker who helps people not suck at cybersecurity. Marcus started his technology voyage in U.S. Navy Cryptology and working at the National Security Agency (NSA). vThreat is a software as a service platform that simulates attacker tactics, techniques, and procedures to allow organizations to validate their defense in depth infrastructure.