Print Edition

  Email News Updates

Ask the Expert: Does your organization need both vulnerability scanning and penetration testing?

By Katie Taisey

The short answer is: Yes! We hear in the news almost daily about organizations that have fallen victim to Ransomware attacks.  During a ransomware attack, a hacker, or hacking organization, has gained access to a computer network and has encrypted data making it unusable.  The hackers then demand payment for the key, which can be used to unlock the data.  The consequences of a ransomware attack for businesses can be dire, as it has been estimated that half of the small businesses that suffer a cyber-attack go out of business within six months as a result.  It is important, though, to understand that not every cybersecurity breach results in catastrophic ransomware attacks.  Other attacks might involve infecting your computers with malware that turns the device into a bot (short for robot) which is then used as part of a Botnet (network of bots) to perform coordinated larger attacks.  These larger coordinated attacks can be used to launch distributed denial of service (DDOS) attacks or even massive phishing campaigns targeted at much larger organizations.  While a company might not be the direct target of these attacks, being a victim of the malware/bot attack can severely impact both computer and network performance.  So, how do hackers gain access or infect devices with malware?  Hackers often use known vulnerabilities or flaws in systems to launch their attack.  


Vulnerabilities are the gateway for hackers-in-the-wild to gain access to a system. To answer this question, we need to take a step back and understand what exactly a cybersecurity vulnerability is.   According to the National Institute of Standards and Technology (NIST), a vulnerability is “a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”  In 1999 MITRE corporation launched what is known as the common vulnerabilities and exposures (CVE) List.  The CVE List is a list of records - each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.  In 2005 NIST launched the U.S National Vulnerability Database (NVD), which is a database of all known CVEs. The NVD then builds upon the records to provide enhanced information for each vulnerability, such as fix information, severity scores, and impact ratings.  Wow, that was a lot of information – what does that all mean?  Simply put – there are many resources available to help identify, track, and remediate cyber vulnerabilities!  CVE Records are used in numerous cybersecurity products and services to perform vulnerability scanning.  Each CVE is given a score that breaks vulnerabilities into four categories: critical, high, medium, and low.  Critical vulnerabilities found on a network after a scan should be patched/remediated within 30 days, high within 30-60 days, medium within 60-90 days, and low within 180 days.    


Vulnerability scanning involves identifying well-known vulnerabilities using the CVE data previously explained.  Penetration testing involves actively attempting to exploit the well-known vulnerabilities and other configurations to emulate a hacker-in-the-wild. Using the same tools and techniques as malicious hackers, penetration testers uncover security weaknesses that could lead to compromise, ransomware, or data loss.  Penetration testers are often referred to as ethical hackers, and their goal is to determine how vulnerable a computer network is to vulnerabilities and how easy movement is within a network.  Penetration testing should be done by an independent third- party, while vulnerability scanning can be done regularly by the IT department or managed IT provider. 


Penetration testing is defined by the needs of the business. Factors include defining the scope, budget, and timeline. For example, an external network penetration test is an attack aimed at discovering the security posture of a business against internet-based attacks. The goal of an external penetration test is usually to determine the level of sophistication required to gain internal access. Another common penetration test is an attack against the internal network. Businesses pursuing this type of test are interested in learning how far within the internal network a malicious hacker could go to gain access to the system, client records, and other sensitive information.  


Vulnerability scanning when done correctly is ongoing and never ends.  Scanning using automated tools can be resource heavy and may require scanning to be done during non-peak business hours.  Penetration testing, unless otherwise required for compliance, is recommended to be done annually or after any major or significant changes to the systems.    


Over the course of the last several years, there has been a dramatic shift in cybersecurity insurance policy requirements.  Gone are the days of simple checklists and self-attestation saying that an organization is secure.  It would not be surprising to see ongoing vulnerability scanning as a requirement for obtaining cybersecurity insurance policies in the future.  Penetration testing is already a requirement for many industry compliance requirements and may soon be required to obtain a cost-effective cybersecurity insurance policy as well.   So, does your organization need vulnerability scanning and penetration testing?  Yes!  Vulnerability scanning and penetration testing have the same goal - to support and improve an organization and reduce the risk of a cyber-attack.   Vulnerability scanning should be done regularly (daily if possible), while penetration testing should be done annually at a minimum.