Vulnerability scanning vs penetration testing
futurethat88
Member Posts: 22 ■□□□□□□□□□
in Security+
Can someone clarify the defining difference between these two concepts? I seem to have difficult distinguishing between them and often answer questions on practice tests incorrectly regarding these. 
Is there a specific time that vulnerability scanning is used? Apparently it is done when assessing security policies.
:
When is penetration testing done? Is it after new policy has been enacted to ensure it is up to snuff?:
I am taking the test on the 27th and have finished Lammle's and Meyer's material. I feel okay about it but still somewhat nervous. Getting some clarification would help ease my anxiety.
Is there a specific time that vulnerability scanning is used? Apparently it is done when assessing security policies.
:When is penetration testing done? Is it after new policy has been enacted to ensure it is up to snuff?
:I am taking the test on the 27th and have finished Lammle's and Meyer's material. I feel okay about it but still somewhat nervous. Getting some clarification would help ease my anxiety.
Comments
Usually vulnerability scans, are just that, they are used to scan for weakness in a network that can be exploited, i.e. a poorly hardened SMTP server, or centralised Active Directory server.
Does this help with your query?
Good luck with your exam!
Is this a correct interpretation?
e-Book: "Vulnerability Management for Dummies"
A pen test is when I want an entity to try to break in without them necessarily knowing what vulnerabilities the organization has. They are trying to see if they can find the holes and if they find them, they let us know what we have. My organization does use Qualys for vulnerabilty scanning. We then apply whatever patch to close up the vulnerability.
I wouldn't necessarily say that. You can pen test before or after you implement a particular security policy/policies, just as you can vulnerability scan before/after.
Vulnerability scanning is more "passive" in that you are just looking for holes. Pen testing is the active component- the tester is actively trying to get into whatever your policy is trying to keep them out of. Instead of just looking for a hole, you're exploiting it.
Bottom line: Vulnerability scans do not disrupt anything. Pen testing can cause serious problems and affect production.
Not entirely, no. As already mentioned here, the vulnerability scan is to find what holes may already exist within a system, where pen testing finds out what's inside those holes and how to obtain information and exploit those weaknesses.
A penetration test is usually performed by an outside organization that will test your security perimeter in an attempt to penetrate it.
The main points I got from the book I read were:
Vulnerability Scans are usually performed from INSIDE your security perimeter and are not disruptive to the operation of your network.
Penetration Tests are usually performed from OUTSIDE your security perimeter in an attempt to actually penetrate your defenses. These can be disruptive to your network.
Penetration testing is an advanced security assessment. Penetration testing uses vulnerability scanning, but goes a step further to see whats actual possible by attempting to exploit the vulnerabilities.
Penetration testing really helps to identify the level of Risk. When we talk about Vulnerabilities think a potential weakness in a system that a Threat could exploit, which has an associated Risk (or level of business impact).
So penetration testing can certainly be aggressive and take parts of a system down. Although vulnerability scanning is typically passive it can lead to having an impact in a system due to it sending large amounts of traffic across a network. I do think the way CompTIA phrases its questions when you hear impact you might associate penetration testing, but for practical purposes its important to know that vulnerability scanning can impact a system in a negative way.
Next Up: Linux+/RHCSA, GCIA