True or False: Are penetration tests and vulnerability scans one in the same?
If you answered “False” you are correct, however, it can be difficult to understand the difference between the two information security services. Whereas both are incredibly valuable in building a strong threat and vulnerability management program, penetration tests and vulnerability scans are often misunderstood and used interchangeably.
Before defining the two services, let’s start with an analogy from one of our certified audit support team members. Think of a vulnerability scan as walking around the house rattling doorknobs and pushing on windows to see if they are unlocked or open. These easy security items, much like locking the garage’s back door or basement window, can help ensure your house is secure. A penetration test would be entering into your home through an open window or unlocked door to emulate a burglar breaking in. By completing this exercise, you could expose security vulnerabilities before someone with bad intentions may take advantage.
A penetration test simulates the actions of an external or internal cyber attacker (AKA ethical hacker) that strives to breach the information security of an organization. Simply, it can be thought of as a person trying to bypass application controls and “break into” a network system to take data or seek further access to other internal databases. There are many different tools and techniques an ethical hacker can use as they attempt to exploit critical systems and gain access to sensitive data. By implementing penetration testing, organizations can identify gaps between possible threats and existing controls.
HIPAA One offers penetration testing and ongoing threat management solutions and tools through our trusted partner, TwelveSec. By partnering with TwelveSec, we are able to provide a wide array of services designed to manage threats against your network including: Assurance Services, Security Management Services and Information Security Training Services. HIPAA One also offers free, unlimited post-remediation verification for any risks discovered during the Penetration Testing project. For additional information, click here.
Unlike the manual practice of a penetration test, a vulnerability scan is a software tool designed to inspect the potential points of exploit on a computer or network to identify security holes. By checking internet facing devices against “known” Common Vulnerabilities and Exploits (CVEs) a vulnerability scan can detect and classify system weaknesses in computers, networks and communications equipment. Vulnerability scans are configured for safe checks, meaning the scan will only identify known, unpatched security vulnerabilities for the external IP addresses provided and not conduct any denial of service (DOS). A free example of a vulnerability scan can be found at www.ssllabs.com and focuses on encryption and certificate exchange.
There are many software options that may be utilized for vulnerability scanning as certain tools are specific to the different types of computing infrastructure. It is important to understand that a vulnerability scanning tool is only as good as the CVE dictionary within the software and one tool may not be all an organization needs. It is fairly standard that a hacker(s) may use anywhere from 6-10 different software scans to speed-up the process of identifying easy ways of bypassing application and infrastructure security controls.
HIPAA One includes a Nessus Professional Feed vulnerability scan with each HIPAA security risk analysis software license. Using Nessus Professional Feed, HIPAA One will run a vulnerability scan on external IP addresses during the course of the HIPAA security risk analysis. For more information or to get started, Contact Us today!