Pen testing vs. Vulnerability scanning

Penetration testing and vulnerability scanning are both important parts of cybersecurity. While penetration testing takes it a step further and exploits vulnerabilities, this isn’t always required to have a solid understanding of where your vulnerabilities are and can sometimes be expensive or provide unrealistic results. But if you can’t identify the vulnerabilities in place, it may be challenging to protect your clients against them. Read on to learn about penetration testing and vulnerability scanning, and how we can realistically use them to increase our overall security posture.

What is penetration testing?

Penetration testing, or as most people in the IT security field call it, pen testing, is the testing of software and hardware for vulnerabilities or weaknesses that an attacker could exploit. In the IT industry, this usually applies but is not limited to, personal computers, networks, web applications, or my personal favorite, physical security. Also known as “red teaming,” pen testing is conducted by everyone—from government agencies, law enforcement, the military, and private companies.

Penetration testing is a great way to evaluate the actual cybersecurity of your company after you’ve got your protections in place. But pen testing can be expensive, and I’ve seen many organizations get a pen test but limit the scope so much that the results become unrealistic. Remember, attackers aren’t going to limit their scope at all, so we want to make sure we’re simulating something that’s closest to a possible cyberattack scenario.

The biggest advantage of a penetration test is proving that the vulnerabilities found can be taken advantage of and will cost your company its reputation, time, and money. Consider this: What would make a bigger impact? A report showing your website is vulnerable to SQL injection, or a report showing that your website was compromised, and information was stolen because of the SQL injection vulnerability? Through this database manipulation, the attacker was able to spread laterally across the network to steal information and spread ransomware.

What is vulnerability scanning?

Another option to verify the security of your company and make it more difficult to breach is vulnerability scanning. Vulnerability scanning is typically done on an ongoing basis, so you always have the most up-to-date results. Once you implement a patch or fix, you scan again and confirm the vulnerability has been removed. This cycle is ongoing, so you’re constantly patching and scanning, increasing your overall security posture with each cycle.

Just like penetration testing, there are several types of vulnerability scans. One of the most common vulnerability scans is an endpoint scan. With an endpoint scan, we use an automated tool to scan all endpoints for missing systems and third-party patches. Once we identify these vulnerabilities, we can get to work on patching them or putting in other measures to offset that risk. There are also web application scans and full network scans, but today we’re going to focus on endpoint scans.

How ConnectWise can help

There are many different tools out there to run endpoint vulnerability scans—some are free, most are paid—but one of the most difficult pieces of vulnerability scanning is getting the results out in a nice, human-readable format. If you’re reading this, chances are you want to do vulnerability scanning as a service or use it to introduce other services to an organization. If you can’t provide a clear report to these customers, what are the chances they are going to pay attention to what you say?

ConnectWise Risk Assessment is an easy solution to your problem. Besides scanning for missing patches, we also check in on the health and hygiene of your endpoints. Is remote desktop protocol (RDP) enabled? What sort of protection do you have on your endpoints? We run in-depth security assessments to help increase the overall security posture of the organization. We also check for any exposed emails on the dark web, but that will have to be another discussion.

Once these scans are completed, you get two preformatted, easy-to-read reports. One is designed to be a high-level executive summary that provides important snapshots to your clients. The other version is a more technical report that identifies specific vulnerabilities, the overall risk score of that vulnerability and what we need to do to take care of it.

Both penetration testing and vulnerability scanning are very important things to consider when hardening your networks and increasing your security posture, but they both fill different needs. I always recommend starting out with vulnerability scanning, confirming that you are patching these vulnerabilities and then moving on to a penetration test. But don’t stop the vulnerability scanning, as that’s an ongoing process, and you can use the penetration test to validate your results.