What is the difference between a penetration test and vulnerability scan, for cybersecurity?
In the video below, Mike explains the main differentiators, including how a vulnerability scan is often part of a good penetration test. He also discusses how a pen tests addresses the question “And then what?”
Want Mike’s recommendations on the best penetration testing services companies to quote for your organization’s requirements? Click the button below to ask him today.
About Mike
Mike Smith is the Founder and President of AeroCom and has been helping companies with telecom and cloud services since 1999. He has been the recipient of numerous business telecommunications industry awards, including being recognized as one of the top 40 business people in Orange County, CA., under 40 years old. You can also hear him as the host of the popular Information Technology podcast, ITsmiths with Mike Smith. Follow Mike on YouTube, LinkedIn, Reddit and SpiceWorks.
Transcript
What is the difference between penetration testing and vulnerability testing? Well, I thought I kind of knew the difference, but then I had some training calls with actually a certified ethical hacker, who is doing a lot of penetration testing for third-party companies, and is actually a penetration tester. And one of the things that got brought up, I was asking him, I said, “Well, hey, what are some of the things that a lot of companies as you start to do the penetration testing, what are some of the things that you notice a lot of companies aren’t aware of?” And the first thing he said was, “A lot of companies don’t understand the differences between vulnerability tests and penetration tests.” And so I thought that was interesting.
I thought that I knew the differences, but he actually told me a couple things, too, that I wasn’t really aware of. So I wanted to make a video on that.
Quick Recommendation
But before I get started really quick, just a quick little house cleaning advertisement here. If you want my recommendations on the best penetration testing companies for your company or vulnerability tests for your company, don’t Google it. Just reach out and contact me on email or phone (714.593.0011). I’m a broker for all these different companies. More information on that at the end of the video.
Software vs. People
Okay, so what is the difference between a vulnerability test and a penetration test?
Well, the easy thing right out of the gate is that a vulnerability test is usually just using software to scan the network for vulnerabilities, as opposed to a penetration test is usually taking it a step further.
Vulnerability Scans are Part of Pen Testing
And if you’re using a good penetration testing company, they’re using certified ethical hackers to go further than a vulnerability test can go. So they’re adding the human element into it.
So if you think about it, a vulnerability test is always part of a penetration test, but not vice versa. So you could do a vulnerability test by itself. You could just run a software scan vulnerability test, but you can’t do a penetration test, a good one without a vulnerability test. So the vulnerability test is always part of a good penetration test. You want to scan the network first for some obvious vulnerabilities and then take it a step further adding the human element to it. So that’s easy right out of the gate.
“And then what?”
Another way to think about it is that a vulnerability test lacks context because it’s just a software scan. So it’s going to scan your environment for possible holes, vulnerabilities. But it’s lacking the context of “and then what?”
So think about that phrase “and then what,” and that’s where the penetration test comes in. So a vulnerability scan might show you something like, “Hey, there’s a port open on your firewall,” but what the vulnerability scan cannot show you is that, yes, but if you try to get in that way you’re going to get blocked through something else. So it’s not taking it a step further. And that’s where a penetration tester would come in and say, “Okay, hey, there’s an open port on the firewall. Let me see if I can get in.”And then they go, “Oh no, I can’t get in that way because I’m blocked through something else.”
False Positives
So a vulnerability scan automatically is going to be prone to a lot of false positives. So definitely two different things. A vulnerability scan, a software scan that lacks context. A penetration test is a deeper analysis of specific ways you’re definitely vulnerable. And with penetration tests, you can do white box testing, gray box testing, black box testing. As I mentioned before, you can do external testing. You can do internal testing, you can do physical security.
There’s a lot of different types of penetration testing. And if you want to see what those are, you can watch my other videos, but I hope that helps give you some idea of the difference between a vulnerability test and a penetration test.
Those are two different things that sometimes people mix up and use the same semantics for one versus the other, but they’re really two completely different things. I hope that helps a little bit.
Which Pen Testing Company is the Best Fit?
If you’d like my recommendations again on the best penetration testing companies to run a formal penetration test for your company or a vulnerability scan for your company, or maybe both obviously. Reach you out and contact me on email or by phone (714.593.0011). Don’t start Googling it. Don’t try to see who the most popular person on the web is for doing this. You’ll probably reach out and find the wrong person.
Reach out and contact me. I’m a broker for all the major cybersecurity service providers out there. And based on your company’s requirements, I can pair you up with the best small handful of companies that you should be quoting for your organization specifically. And the nice thing is is that all these companies if you find the right company and that I recommend to you and you guys end up purchasing from them, that company will pay me a broker fee so you don’t have to pay me for my brokering services at all.
So there’s no excuse not to at least call me and ask me for my recommendations. I’ve been doing this for many, many years and can really help you save a lot of time and get with the right vendors right away. So if the video was helpful, don’t forget to hit the like and subscribe button down below and I will catch you on the next one.
Related Content
Penetration Testing Services Comparison: What is an External Pen Test?
What is an external pen test?
In the video below, Mike continues his video series on penetration testing […]
Network Infrastructure Management | Cybersecurity Risk Assessment Template
What is the best template to use for a cybersecurity risk assessment, for Network Infrastructure […]
Cybersecurity Risk Assessment Template: Data Recovery
What is the best template to use for a cybersecurity risk assessment, for Data Recovery?
In this video, […]
Cybersecurity Risk Assessment Template: Malware Defenses
What is the best template to use for a cybersecurity risk assessment, for Malware Defense?
In this […]
Cybersecurity Risk Assessment Template: Email and Browser Protection
What is the best template to use for a Cybersecurity risk assessment, for email and browser […]
Cybersecurity Risk Assessment Template: Audit Logs
What is the best template to use for a cybersecurity risk assessment, for Audit Logs?
In this video, I […]