Vulnerability assessment vs penetration testing: what’s the difference?

Many people are under the impression that penetration testing and vulnerability assessments are simply two phrases for the same thing. But although the processes are related, they have different purposes and therefore shouldn’t be confused.

Let’s take a look at the differences between the two how they should fit into your organisation’s security practices.

What is vulnerability scanning?

Vulnerability scans are automated tests that identify vulnerabilities in organisations’ systems and applications.

You will inevitably have a range of weaknesses in your systems. This is partly because of the frequent changes you’ll inevitable make to applications, but also because firewalls are designed to leave certain ports open for email and other Internet-based services.

That’s why you need to conduct regular scans to identify and address vulnerabilities. There are a variety of off-the-shelf tools that can do this job. They work by running a series of ‘if–then’ scenarios, which highlight system settings or features that may contain known vulnerabilities.

A completed scan will provide a logged summary of alerts for the organisation to act on.

Vulnerability scanning and the PCI DSS

If your organisation processes cardholder data, you are subject to the PCI DSS (Payment Card Industry Data Security Standard) and therefore required to conduct vulnerability scans every quarter and after any significant changes to the network.

Scans must be conducted by a qualified person who is independent of the device or component being scanned. This individual will need to take responsibility for configuring the appropriate tools and performing the scans.

You’ll also need to bear in mind that quarterly external scans are a separate requirement from quarterly internal scans, and must therefore be conducted separately.

If your scan fails, you must schedule a rescan within 30 days to prove that the critical, high-risk or medium-risk vulnerabilities have been patched.

Many organisations simplify the task by performing monthly scans to keep on top of any emerging vulnerabilities.

To pass a PCI DSS external scan, all items listed as critical, high risk or medium risk (i.e. those with a CVSS (Common Vulnerability Scoring System) score of 4.0 or higher and specific findings that are considered automatic failures) must be remediated or disputed by the organisation. Remediation is usually the best approach.

What is penetration testing?

Penetration testing is much more rigorous than vulnerability scanning, as it’s essentially a controlled form of hacking. The tester – known as an ethical hacker – works on behalf of an organisation and looks for vulnerabilities in its systems.

In that regard, their actual work is much the same way as a criminal hacker. Indeed, unlike vulnerability scans, penetration tests are designed to identify not only weaknesses but also exploit them.

Doing this demonstrates to an organisation exactly how a cyber criminal would infiltrate its systems and what information they could access.

Armed with this knowledge, organisations can pinpoint how effective their security controls are and which areas need improvement.

Penetration testing and the PCI DSS

PCI DSS requirements 11.3.1 and 11.3.2 state that penetration testing must be performed at least annually and after any significant changes to your network.

Penetration tests require a great deal of technical expertise and must, therefore, be carried out by a qualified professional.

Fortunately, the tester will oversee most of the technical work, meaning organisations’ main responsibility is simply hiring someone for the job and creating a plan that ensures that the test has a minimal impact on staff and business operations.

Because, remember, a penetration test is a live experiment, so when the tester exploits a vulnerability, it will impact your ability to work.

As such, you might prefer to schedule the test outside of office hours to minimise the disruption to the networks or applications that are being tested.

Alternatively, you might want to look at how staff would react to an attack (as is the case with a social engineering penetration test).

Vulnerability testing vs penetration testing

Are you still unsure under which circumstances you need a penetration test of a vulnerability scan? Here’s a quick summary:

Scanning and testing with IT Governance

If you’re looking for experts to help with your vulnerability scans and penetration tests, we are here to help. IT Governance is a CREST-accredited provider of security testing services, with a range of solutions ideal for all organisations.

We offer on-site and remote testing to help you assess your networks in whichever way is most convenient for you.


A version of this blog was originally published on 8 October 2018.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.