The Differences Between Vulnerability Scans & Penetration Tests
When it comes to cybersecurity, a lot of “tech” terms get thrown around.
I’ve noticed some confusion about the terms “vulnerability scan” (or “vulscan”) and “penetration test” (or “pentest”), for example. They are often used interchangeably, but the truth is, they are two very different IT network evaluations that yield related, but vastly distinct information.
I understand the confusion and can help set things straight. In my nearly 20 years in IT and my current role as manager of information security and compliance at Kelser Corporation, I work hard every day to ensure that customers understand what they need.
Although Kelser is a managed services provider (MSP), I want to be clear that I'm not here to sell you on working with an MSP. I know MSPs aren't the right solution for every organization.
Whether you ultimately choose to work with an MSP or not, I want to provide the information you need to understand the differences between vulnerability scans and penetration tests so that you can clearly ask for the services you need.
In this article, I’ll explain the security advantages of vulnerability scans and penetration tests, give you an idea of the costs and timeframe, and point out the similar and unique aspects of each.
By the end of this article, you’ll be able to ask for and receive the security testing that makes sense for your organization.
What Is An IT Vulnerability Scan?
A vulnerability scan (or “vulscan”) is an automated tool used to identify everything that is running on your network(s) and looks for vulnerabilities. This scan is performed at a high level often without login credentials just to see what open information can be accessed.
Vulnerability scan software is commercially available or you can hire a professional IT team to perform the scan for your organization.
What Is An IT Penetration Test?
Penetration tests are not usually automated. Instead, they involve an IT professional who pokes around your network to see what vulnerabilities exist and what the consequences would be if those vulnerabilities were exploited by someone with malicious intent from inside or outside of your organization.
Goals Of IT Vulnerability Scan & Penetration Test
Each of these evaluations is designed to expose potential gaps in an organization’s cybersecurity, but they do that in different ways.
Vulnerability Scan Goal
The vulnerability scan is used to identify potential weaknesses in devices, servers, networks, and applications.
Most vulnerability scans generate automatic reports that many organizations need an expert to help them decipher and prioritize.
Knowing what a malicious actor can access and the potential for harm can identify areas for the organization to concentrate its efforts on protecting.
Penetration Test Goal
An IT penetration test is designed to explore how vulnerabilities could be exploited and what the potential ramifications could be for your organization.
Because IT penetration tests are, in fact, simulated cyber attacks on your systems (within stated limits), there is the potential for a penetration test to be much more of a disturbance for your organization.
It is important for both you and the people you hire to have a clearly outlined scope in the agreement. A high-profile case from Iowa highlights what can happen if the scope of the agreement is not clearly outlined.
According to a report from CNBC:
“The state of Iowa contracted with a prominent cybersecurity company to conduct ‘penetration tests’ of certain municipal buildings in September , particularly courthouses. In September, two employees of the [cybersecurity] company were arrested in the course of doing their jobs.”
The employees were charged with burglary and held on $100,000 bail. The charges were ultimately dropped, but not until January 30, 2020.
So, how did things go wrong? Well, several things went wrong. At the most basic level, one of the key things was that the penetration test was held after hours, which the state did not expect to happen. This is just one reason why outlining detailed parameters for penetration testing is critical.
Details matter. Make sure everyone has a clear understanding of the rules of engagement!
Both vulnerability scans and penetration tests should be stepping stones to a safer network. The information alone does nothing to improve the security of your IT infrastructure without remediation of the risks.
The real value is achieved when you use the data from vulnerability scans and penetration tests to develop and implement a rigorous remediation plan that plugs the holes in your infrastructure. That is the ultimate goal.
How Long Do IT Vulnerability Scans & Penetration Tests Take
One of the key differences between these two types of assessments is the time it takes to perform them.
Vulnerability Scan Timeframe
To run the actual vulnerability test typically takes 2-3 hours. After the report is generated, there is some time required to distill the information from the report into actionable items.
Penetration Test Timeframe
An IT penetration test is more creative and can last anywhere from several days to several weeks, including the time needed to prepare a report.
How Much Do IT Vulnerability Scans & Penetration Tests Cost?
Another key difference between these two assessments is how much they cost.
The cost of a vulnerability scan can vary depending on the size and complexity of your network infrastructure.
In general terms, it will cost an organization with a small environment around $2,000 to scan, generate results and distill the results.
A quick internet search shows that the average cost of a penetration test ranges from $4,000 for a small organization (simple test) to hundreds of thousands of dollars (or sometimes more) for a complicated environment with complex systems.
What Kind Of Testing Does Your Organization Need?
Now you know the difference between vulnerability scans and penetration tests. You know what each is designed to do, how long they take, and how much they cost.
You may be wondering whether your organization would benefit from one or both kinds of network analysis.
In an ideal world, organizations would perform both kinds of testing and then develop a remediation strategy to eliminate any holes in the IT infrastructure.
If resources and time are limited, the minimum any organization should do is a vulnerability scan. This will provide a starting point for remediation efforts to strengthen the security of the organization’s network.
If an organization has had vulnerability scans showing few or no significant risks, a penetration test is a logical next step to yield a deeper dive and identify additional vulnerabilities. By understanding and incorporating this enhanced data into the remediation strategy, the organization's IT infrastructure will be even more secure.
At Kelser, a managed services provider (MSP), we have helped hundreds of customers test their networks for vulnerabilities. We know that managed IT isn’t right for everyone, but if you looking for a strategic MSP partner that you can trust to secure your network, we're the company for you.
If you're curious about what MSPs do, take a deeper dive into the different services MSPs provide in this article: What Does A Managed Services Provider Do?
Learn more about how Kelser can help you determine (and enhance) the security of your unique IT network, by filling out the form below and one of our highly qualified specialists will contact you.