People are often confused about the difference between penetration testing and vulnerability assessments.
Although the processes are related, and are both mandatory under several information security regulations, including the PCI DSS (Payment Card Industry Data Security Standard), they aren’t interchangeable.
In this blog, we compare penetration testing and vulnerability assessments, helping you understand where they should fit in your organisation’s security practices.
What is vulnerability scanning?
Vulnerability scans are automated tests that identify vulnerabilities in organisations’ systems and applications.
You will inevitably have a range of weaknesses in your systems. This is partly because of the frequent changes you’ll inevitable make to applications, but also because firewalls are designed to leave certain ports open for email and other Internet-based services.
That’s why you need to conduct regular scans to identify and address vulnerabilities. There are a variety of off-the-shelf tools that can do this job. They work by running a series of ‘if–then’ scenarios, which highlight system settings or features that may contain known vulnerabilities.
A completed scan will provide a logged summary of alerts for the organisation to act on.
Vulnerability scanning and the PCI DSS
If your organisation processes cardholder data, you are subject to the PCI DSS and therefore required to conduct vulnerability scans every quarter and after any significant changes to the network.
Scans must be conducted by a qualified person who is independent of the device or component being scanned. This individual will need to take responsibility for configuring the appropriate tools and performing the scans.
You’ll also need to bear in mind that quarterly external scans are a separate requirement from quarterly internal scans, and must therefore be conducted separately.
If your scan fails, you must schedule a rescan within 30 days to prove that the critical, high-risk or medium-risk vulnerabilities have been patched.
Many organisations simplify the task by performing monthly scans to keep on top of any emerging vulnerabilities.
To pass a PCI DSS external scan, all items listed as critical, high risk or medium risk (i.e. those with a CVSS (Common Vulnerability Scoring System) score of 4.0 or higher and specific findings that are considered automatic failures) must be remediated or disputed by the organisation. Remediation is usually the best approach.
Assured security with IT Governance
You can learn more about your testing requirements by downloading Assured Security – Getting cyber secure with penetration testing.
This free green paper explains in more detail how penetration testing works, the vulnerabilities you should be concerned about and the different types of penetration test you can use to detect them.
What is penetration testing?
Penetration testing is much more rigorous than vulnerability scanning, as it’s essentially a controlled form of hacking. The tester – known as an ethical hacker – works on behalf of an organisation and looks for vulnerabilities in its systems.
In that regard, their actual work is much the same way as a criminal hacker. Indeed, unlike vulnerability scans, penetration tests are designed to identify not only weaknesses but also exploit them.
Doing this demonstrates to an organisation exactly how a cyber criminal would infiltrate its systems and what information they could access.
Armed with this knowledge, organisations can pinpoint how effective their security controls are and which areas need improvement.
Penetration testing and the PCI DSS
PCI DSS requirements 11.3.1 and 11.3.2 state that penetration testing must be performed at least annually and after any significant changes to your network.
Penetration tests require a great deal of technical expertise and must, therefore, be carried out by a qualified professional.
Fortunately, the tester will oversee most of the technical work, meaning organisations’ main responsibility is simply hiring someone for the job and creating a plan that ensures that the test has a minimal impact on staff and business operations.
Because, remember, a penetration test is a live experiment, so when the tester exploits a vulnerability, it will impact your ability to work.
As such, you might prefer to schedule the test outside of office hours to minimise the disruption to the networks or applications that are being tested.
Alternatively, you might want to look at how staff would react to an attack (as is the case with a social engineering penetration test).
Vulnerability testing vs penetration testing
Are you still unsure under which circumstances you need a penetration test of a vulnerability scan? Here’s a quick summary:
Scanning and testing with IT Governance
If you’re looking for experts to help with your vulnerability scans and penetration tests, we are here to help. IT Governance is a CREST-accredited provider of security testing services, with a range of solutions ideal for all organisations.
We offer on-site and remote testing to help you assess your networks in whichever way is most convenient for you.
A version of this blog was originally published on 8 October 2018.