Pentests vs. Vulnerability scans
Pentests vs. vulnerability scans
Intrusion tests and vulnerability scans are 2 operational cybersecurity activities commonly practiced in organizations. They are often mistakenly confused and sometimes IT managers wonder which option is better for their context.
In this blog, we will demystify these 2 activities.
Vulnerability Scans
The objective of the vulnerability scan is to identify if there are significant security holes in your network that could potentially be exploited by a hacker to gain entry into a network.
To do so, we will perform a test via an automated tool called a security vulnerability scanner. There are existent vulnerability scanners for operating systems (e.g. NESSUS, OpenVAS, etc.) and for web applications (Acunetix, Burp Suite, etc.).
At the end of the vulnerability scan, the tool generates a report that indicates the vulnerabilities found in your network as well as their severity level (generally from 1-low to 10-critical). You need to quickly fix vulnerabilities with a High or Critical severity level.
The problem with vulnerability scans is that they list all the vulnerabilities found in your network. The generated report can contain hundreds of pages! It is up to you to select the vulnerabilities you want to fix because it is not realistic to fix them all.
If you don't have the in-house expertise, hire an external firm to help you. This will allow you to focus only on fixing the most significant vulnerabilities.
Intrusion tests or Pentest
During an intrusion test, a cybersecurity specialist (Pentestor) puts himself in the shoes of a hacker who is trying to attack your network, to see how far he can go: taking control of critical servers, accessing sensitive databases, exfiltrating data, etc. The Penteteur is given time to do its job.
The intrusion test can consist of testing systems accessible on the Internet (external Pentest) or systems internal to the network (internal Pentest).
The intrusion test can be done by an internal resource or an external cybersecurity firm.
At the end of this test, the cybersecurity firm gives you a report that indicates the flaws and vulnerabilities identified in your network. It also indicates whether the vulnerabilities were exploited by the intruder and how far he went (hacking a server, accessing a sensitive database, etc.). The report also provides recommendations to correct the problems found.
Note that the quality of an intrusion test is highly dependent on the experience of the person performing it.
Pentest or Vulnerability Scan?
This table allows you to make a choice according to your objective.
Vulnerability scan | Intrusion test (Pentest) | |
Identify security vulnerabilities in your network | YES | YES |
Attempt to exploit vulnerabilities to get into your network | NO | YES |
Have an idea of the consequences of an attack (how far a hacker can attack you) | NO | YES |
Duration | 1 to 3 days | Several days or weeks |
Test report indicating vulnerabilities and corrective actions | YES | YES |
Costs | LOW/MEDIUM | About 3 times the cost of a vulnerability scan |
Recommended frequency of completion | 4 times a year | Twice a year |
How can StreamScan help you?
Streamscan has a long experience in intrusion testing and vulnerability scanning. Our Pentests experts can help you to enhance your security. We then help you define an action plan that will serve as a compass to define your corporate cybersecurity strategy.
We can also help you if you are looking for operational defense capabilities (outsourcing your cybersecurity management, 24/7 security monitoring, intrusion detection/prevention technology, etc.).
Talk to one of our experts or call us at +1 877 208-9040.