Penetration test vs. Vulnerability scan

verhp11 (67) in blog • 5 years ago (edited)

In the field of information security there are a lot of professionals at work, the business is booming and organizations want to be safe right?....
therefore a lot of organizations are contracting ethical hackers or security clubs to test their environment. What I see in the field is that there is some mix up between terminology and techniques, often caused by the security professionals themselves.

For instance the Penetration test vs a vulnerability scan. These two are often mixed up by people causing the wrong expectations and therefor organizations paying (sometimes) to much for sham security. And I think that's a bad development because people have to be informed honestly.

Well some background info:

Vulnerabilty scanning

A vulnerability scan is , like it says, a scan for (known) vulnerabilities. Often there are some tools used which check on already exploited breaches, missing patches and other (already known) issues.

A report which comes out of a vulnerabilty scan just is a print of the state of the machine, device, or environment compared to some best practices and security checks. It is a quick scan for the use of known software whithout further in depth research or next steps. You can see a vulnerability scan as step one to a Pentest.

Pentesting

A pentetration test is to get insight information on the risks and vulnerabilities of a system of environment. Based on the vulnerabilities he/she is trying to get real use-able information out of systems to litteraly exploit the vulnerability. That way he can show the organization that there is a real risk. After that he/she will give advise on how to mitigate does risks mostly in a report with all the fact and figures..

Often Pentesters use a Kali-Linux distribution which is already equipped with a lot of 'hacking' tools which the pentester can use to test the environment. See it as a Operating System with all the right tools onboard, isn't that cool.

Conclusion

Don't mix up (or be advised) that Pentesting and Vulnerabilityscanning are the same procedures. The are certain complimentary to eachother but they are different. The fact if a company wil perform a vulnerability assement/scan of a pentest is about the questioning if they:

Have the funding (a pentest is way more expensive)
and if their riskprofile demand it, in other words is the information risk that big that they do need in depth information about the state over their environment, then do a pentest.

Stay safe !!!

Peter

I am with QURATOR, are You?

I am using Esteem

Alt text

I fully support @s3rg3 and @exyle, who are witness with their developer group @blockbrothers for the Steem blockchain. If you want to support them, they would appreciate your vote here.

They are the creators of Steemify, THE notification app for your Steemit account for IOS.

blog writing security ocdb informationsecurity

5 years ago by verhp11 (67)

$8.15

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!

Sort Order:

Trending

[-]

steevc (73) · 5 years ago

This is a fascinating field to work in. With so many online systems there is more risk of compromises. I listen to the Security Now podcast sometimes and it's quite scary as we rely on this stuff.

Have you tried using the #stem tag? This may be good for that tribe.

$0.00

1 vote

[-]

verhp11 (67) · 5 years ago

It is indeed a fascinating field.. with a lot great expertises. There was this report last week that the Dutch Government isn't well prepared for cyberattacks, and I know for a fact we are not the only ones :) It's a business... and no I didn't knew the #stem tag, thanks for mentioning :)

$0.02

2 votes

[-]

trincowski (68) · 5 years ago

Very interesting... I've worked in places where they don't even escape the ' character from the SQL Queries. Someday, they'll regret it.

$0.00

[-]

bozz (70) · 5 years ago

Great information. Back when I was in college there wasn't the differentiation between areas of the field like there is now. It was basically programming and then everything else. This is an area I would have like to gone into had there been the option.

$0.00

[-]

artturtle (63) · 5 years ago

Thank you verhp11! You've just received an upvote of 26% by artturtle!

Learn how I will upvote each and every one of your posts

Please come visit me to see my daily report detailing my current upvote power and how much I'm currently upvoting.

$0.00

[-]

steem-plus (73) · 5 years ago

Hi, @verhp11!

You just got a 2.07% upvote from SteemPlus!
To get higher upvotes, earn more SteemPlus Points (SPP). On your Steemit wallet, check your SPP balance and click on "How to earn SPP?" to find out all the ways to earn.
If you're not using SteemPlus yet, please check our last posts in here to see the many ways in which SteemPlus can improve your Steem experience on Steemit and Busy.

$0.00

[-]

steem-ua (64) · 5 years ago

Hi @verhp11!

Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your UA account score is currently 3.504 which ranks you at #6938 across all Steem accounts.
Your rank has not changed in the last three days.

In our last Algorithmic Curation Round, consisting of 105 contributions, your post is ranked at #14.

Evaluation of your UA score:

You're on the right track, try to gather more followers.
The readers appreciate your great work!
Try to work on user engagement: the more people that interact with you via the comments, the higher your UA score!

Feel free to join our @steem-ua Discord server

$0.00

[-]

ocdb (56) · 5 years ago

You got a 11.11% upvote from @ocdb courtesy of @verhp11!

@ocdb is a non-profit bidbot for whitelisted Steemians, current min bid is 2 SBD and max bid is 10 SBD and the equivalent amount in STEEM. Check our website https://thegoodwhales.io/ for the whitelist, queue and delegation info. Join our Discord channel for more information.

If you like what @ocd does, consider voting for ocd-witness through SteemConnect or on the Steemit Witnesses page. :)

$0.00