Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
  • Vulnerability Scan & Penetration Test- How are they different?

    By Vincent Naughton on August 21, 2017

    As a security company we get asked these questions a lot of times and surprisingly we see the number of businesses that actually think these two are just the same but here are the main reasons why you need to know the difference between the two.

    • Insights


      Five differences between a vulnerability scan & penetration test:
      As a security company we get asked these questions a lot of times and surprisingly we see the number of businesses that actually think these two are just the same but here are the main reasons why you need to know the difference between the two.
      Please note the below are drawn from industry best practice standards e.g. PCI-DSS.
      Vulnerability Scan:
      Objective: The process includes to identify, rank and report the list of vulnerabilities or potential vulnerabilities that, if exploited, may result in a compromise of your system.
      Plan the scan: It is recommended your business should conduct scans quarterly or after any significant changes have been made to your system. (Ref: PCI_DSS Requirement 11.3)
      Duration: Vulnerability scans take a short period of time; typically scanning can be completed within a day, of course this may differ based on size of project but it’s much shorter when compared to a penetration test.
      Functionality: A vulnerability scan is an automated scan which produces a report which is then analysed in third party vendors like Ward. An external and internal vulnerability scan is conducted by Ward Solutions.
      Reports: The vulnerabilities are typically ranked in accordance with the common vulnerability scoring system which is what we mainly use and another ranking tool that’s used for these kind of scans is the national vulnerability database.
      Now let’s look at penetration testing:
      Objective:
      To discover and exploit exposures that exist on the network which is internal or external in order to gain access to sensitive information or resources. In addition, a detailed report is provided in order to provide prioritisation and remediation advice so that necessary mitigations can be actioned.
      Plan the scan:
      It is recommended that a pen test needs to be conducted annually or after any significant changes made to the system. (Ref: PCI_DSS Requirement 11.3)
      Duration:
      Penetration testing takes more time, and differs depending on  the nature of the testing (e.g. web application or infrastructure), the size, and the complexity of the environment. Before the implementation of this type of testing, all projects should be scoped in detail to understand the estimate of effort required.
      Functionality:
      This process involves manual testing by one of our in house pen testers which includes reconnaissance, discovery and exploitation phases. The output delivers a comprehensive report.
      Reports:
      The comprehensive report consists of  three sections:

      • An executive summary.
      • A detailed table of findings from the penetration test.
      • An information gathered section which describes the results of all the testing carried out both positive and negative.

      Now the only piece of advice we can give before you conduct a scan or a test is that you develop a plan in place. Discuss the reasons why you need and what you want to achieve from this and involve the key decision makers in your organisation. Once you know what you really want to achieve from testing, set expectations and decide which are the areas of risk you need to focus on. Involving a third party is not going to disrupt your plan, it only helps you with a clearer perspective from all sides so that you are not left with a gap that might have been missed if it’s done internally.
      Ward advises to make sure when you receive proposals from third parties you understand the above differences before you select which option is correct for your organisation and so which one you want to go ahead with.
      If you want to speak to one of our experts to proceed with this discussion:
      E-mail me at grainne@ward.ie or what you can also do is call our office. If you’re based in Ireland call +353 1 6420100 or in Northern Ireland, call, +44 28 90 730 187 to discover our range of information security solutions and discuss your unique requirements.
      To have a look at our latest survey results, checkout our latest whitepaper edition of our mapping cyber security solutions – [lab_subscriber_download_form download_id=1]
       
      By providing the contact information above, I agree that Ward Solutions Limited may collect, use, disclose and retain my personal data, which I have provided in this form and share it with third party organisations through which Ward carries out it’s marketing further details of which can be accessed at our website www.ward.ie, for providing marketing material, in accordance with the Data Protection Acts 1998 – 2003 and our privacy/data protection policy (available at our website www.ward.ie).
      If you do not wish to receive this information please e-mail us at 
      privacy@ward.ie.
       
       

    • Latest Blogs