Many sources and companies often confuse vulnerability assessments and pen testing, but they are quite different.
The significant difference is the manual testing and validation involved, plus actual exploitation and pivoting.
Simply put, a vulnerability assessment is when a company takes an inventory of known vulnerabilities that may affect them, and a pen test is a simulation of an actual attack.
What are the differences between vulnerability scanning and penetration testing?
Vulnerability scanning and pen testing are similar in goal but different in terms of depth. Both look to improve an organization’s security posture by finding weaknesses, but vulnerability scanning relies on being unintrusive. Pen testing goes further.
While pen tests often involve vulnerability scanning, they then exploit them to validate their accuracy and use them to pivot or chain attacks.
Pivoting is a method of attack where one uses a weakness in one system to get to another.
It often occurs once an attacker gets a hold or landing point on a system and uses privilege escalation or credential-stealing to get what is needed to go after a system that doesn’t have an exploitable vulnerability.
Attack chaining is the process where one uses multiple vulnerabilities to obtain a larger compromise.
For example, if an attacker can read a file’s contents that may tell version numbers, then use that to leverage an enumeration attack on user names via a vulnerability and then take advantage of a default password.
These are three minor vulnerabilities that combine into a single larger one, resulting in a more severe finding.
Due to these, pen testing can be more involved than vulnerability scanning, but it yields more findings.
Why might an organization conduct a pen test instead of a vulnerability assessment?
An organization should conduct both tests during the cybersecurity lifecycle. Vulnerability scanning is easier and less intensive than a pen test, so companies often rely on them for a frequent update on their posture and to understand their risks at a given time.
Pen testing is better suited for periodic engagements where teams are able to handle the increased demands.
Scanning is best suited for weekly or monthly cycles; pen testing is better for quarterly or annual cadences as they require more effort to resolve.
Ideally, the internal team will be on top of the findings where pen testing and vulnerability scanning are done at even quicker intervals.
Vulnerability assessment vs. vulnerability scanning
The difference between vulnerability scanning and an assessment is that scanning quantifies and enumerates vulnerabilities, while an assessment uses those findings to make further extrapolations.
Often the latter is used to quantify risk and understand the effects of each vulnerability.
For example, a scan could reveal an out-of-date service, but an assessment would show the risk to be minimal as that service is disabled.