Vulnerability scanning vs penetration testing

futurethat88

Can someone clarify the defining difference between these two concepts? I seem to have difficult distinguishing between them and often answer questions on practice tests incorrectly regarding these.

Is there a specific time that vulnerability scanning is used? Apparently it is done when assessing security policies. :

When is penetration testing done? Is it after new policy has been enacted to ensure it is up to snuff? :

I am taking the test on the 27th and have finished Lammle's and Meyer's material. I feel okay about it but still somewhat nervous. Getting some clarification would help ease my anxiety.

cisco_nerd

Normally one would perform pen testing to ensure the security policies and configurations have been completed correctly before these configs are implemented into a live network or system, e.g. firewall settings, NIDSs etc.

Usually vulnerability scans, are just that, they are used to scan for weakness in a network that can be exploited, i.e. a poorly hardened SMTP server, or centralised Active Directory server.

Does this help with your query?

Good luck with your exam!

futurethat88

So I am feeling comfortable saying that a vuln scan is a proof of concept of the potential of attack and a penetration test is actually attacking a system in place in order to actually demonstrate failure. : :

Is this a correct interpretation?

erpadmin

Have a look around Qualys' web site and their free ebook. You will get a better idea of vulnerability scanning:

e-Book: "Vulnerability Management for Dummies"

A pen test is when I want an entity to try to break in without them necessarily knowing what vulnerabilities the organization has. They are trying to see if they can find the holes and if they find them, they let us know what we have. My organization does use Qualys for vulnerabilty scanning. We then apply whatever patch to close up the vulnerability.

fss

futurethat88 wrote: »

So I am feeling comfortable saying that a vuln scan is a proof of concept of the potential of attack and a penetration test is actually attacking a system in place in order to actually demonstrate failure. :

Is this a correct interpretation?

I wouldn't necessarily say that. You can pen test before or after you implement a particular security policy/policies, just as you can vulnerability scan before/after.

Vulnerability scanning is more "passive" in that you are just looking for holes. Pen testing is the active component- the tester is actively trying to get into whatever your policy is trying to keep them out of. Instead of just looking for a hole, you're exploiting it.

cyberguypr

Look for clues in questions regarding vulnerability scans and pen testing. The key is that vulnerability scans are passive, you just look to see whats wrong. On the other hand, pen testing goes a step further and tries to actively exploit security holes.

Bottom line: Vulnerability scans do not disrupt anything. Pen testing can cause serious problems and affect production.

cisco_nerd

futurethat88 wrote: »

So I am feeling comfortable saying that a vuln scan is a proof of concept of the potential of attack and a penetration test is actually attacking a system in place in order to actually demonstrate failure. : :

Is this a correct interpretation?

Not entirely, no. As already mentioned here, the vulnerability scan is to find what holes may already exist within a system, where pen testing finds out what's inside those holes and how to obtain information and exploit those weaknesses.

xenodamus

A vulnerability scan is a scan that tells you what your vulnerabilities are.

A penetration test is usually performed by an outside organization that will test your security perimeter in an attempt to penetrate it.

The main points I got from the book I read were:

Vulnerability Scans are usually performed from INSIDE your security perimeter and are not disruptive to the operation of your network.

Penetration Tests are usually performed from OUTSIDE your security perimeter in an attempt to actually penetrate your defenses. These can be disruptive to your network.

incry6t

for security+, just remember pen test has potential to disrupt services and usually need management's approval. pen test is "harmful" to the server.

ibcritn

Vulnerability scanning is a technique used to identify weaknesses on a system typically through the use of an automated vulnerability scanning tool (Nessus, Retina) are some examples. I can't say this enough go play with Nessus! www.insecure.org

Penetration testing is an advanced security assessment. Penetration testing uses vulnerability scanning, but goes a step further to see whats actual possible by attempting to exploit the vulnerabilities.

Penetration testing really helps to identify the level of Risk. When we talk about Vulnerabilities think a potential weakness in a system that a Threat could exploit, which has an associated Risk (or level of business impact).

So penetration testing can certainly be aggressive and take parts of a system down. Although vulnerability scanning is typically passive it can lead to having an impact in a system due to it sending large amounts of traffic across a network. I do think the way CompTIA phrases its questions when you hear impact you might associate penetration testing, but for practical purposes its important to know that vulnerability scanning can impact a system in a negative way.