The Difference Between Vulnerability Scans and Vulnerability Assessments
You Ran a Vulnerability Scan, Now What?
“We are using a vulnerability scanning solution, so we’re secure” is something we, unfortunately, hear too often.
Don’t get me wrong, it’s great, you checked the vulnerability scan off your security to-do list! You ran a vulnerability scan and fixed the findings. What could possibly go wrong, right?
Related post: The Benefits of a Vulnerability Assessment
What a vulnerability scan doesn’t tell you
Knowing how to run a vulnerability scan and getting a list of vulnerabilities doesn’t make you a security specialist. You may think you know what a security assessment is, but the reality is that you might not.
Some organizations know and others don’t, for the simple reason that they don’t know what is truly at stake. Most of the time, they don’t even know what they need in the first place.
We frequently notice that our customers know they have vulnerabilities, but what they fail to realize is the damage these vulnerabilities can have on their business.
Different security assessments exist for different purposes. Running a vulnerability assessment is a good starting point in order to focus on the most critical assets of your environment that support the business and to detect where vulnerabilities might be.
The goal of the vulnerability assessment is to scan and list all the vulnerabilities in your network, but also explain what can be achieved if they are exploited.
This key step is often overlooked.
Beware of the Vulnerability Scan Disguised as a Vulnerability Assessment
There are many self-proclaimed and often shady security companies claiming to conduct a “vulnerability assessment” or use the term “pentest” for what is, in reality, a vulnerability scan. However, a scan only corresponds to a portion of a vulnerability assessment.
What usually happens is that they install a Nessus vulnerability scanner for example, which is a great and affordable security solution ($1,000/year). They run the tools, export the PDF and review the report. The problem is that they don’t understand how these vulnerabilities can be exploited and what the risk is that your company may be facing.
Bottom line is, you may end up spending over $1,000 for a scan that you could have run yourself and, if worst comes to worst, you still don’t have a clue about how vulnerable your business is.
Fixing Scan Vulnerabilities Doesn’t Ensure Security
“Nothing happened so far, so we’re okay”.
Scanners won’t give you all the results in their reports. They work in a simple, robotic and binary way by sending a request and checking the answer. A scanner certainly helps the assessment but won’t give you the business assessment that will provide you with the necessary context you need to understand the business logic.
Your in-house IT team can run the scanner and fix all the vulnerabilities that were listed. Good for you, you may think, because everything looks clean and safe when running the scan again! After a vulnerability assessment, you can tell if a certain application has previously been tested with a vulnerability scan because all basic and common vulnerabilities have been solved. However, when testing the logic behind it, with a specific scenario that only a hacker can think of, things start to come up and it becomes easy to exploit the vulnerabilities later on with a pentest.
Security specialists have a clear understanding of how things work. You may know about web servers but not have the level of detail, the level of understanding on how a Transmission Control Protocol (TCP) works. Information security experts marry the vulnerabilities reported by the scanners with their potential exploits and know exactly:
- where it can break, and
- what to do to avoid that.
Pentesting: A Vulnerability Assessment with an Exploit
A penetration test is essentially a vulnerability assessment with an exploit. After getting a report on vulnerabilities, so-called ethical hackers will use them to break into your network and access the critical assets that you are trying to protect.
The client will define the level of access granted to the pentester:
- Black box – no information provided whatsoever.
- Grey box – some information provided, with the same access as an employee with credentials for instance.
- White box – including directions on what to do, code review etc.
Pentesters can perform a variety of exploits, ranging from man-in-the-middle attacks, to capturing traffic information, to retrieving admin domain passwords and go wherever they want in your environment, on any machine throughout the entire company, to achieve whatever goal.
After experiencing different exploitation scenarios, the client realizes the urgency to fix these vulnerabilities as soon as possible – fixing them beyond the scanner results.
As opposed to a simple vulnerability scan, pentesters come with an external view. They don’t have the understanding of how the organization is run, so they are not bound by guidelines and limitations that the employees have to follow. Everything is possible from their perspective. The hacker’s ultimate goal is to find a way to break in.
A vulnerability assessment and a pentest only represent a small portion of the security assessments you can conduct to improve your organization’s security posture, but will not protect you without having a comprehensive security program in place.
Conclusion: Understand Your Needs and Risk Appetite
Every organization is different. Therefore, you need to understand the specific assets you need to protect and know who owns the assets and what their value is. For example, the computer of the CFO has much more value (and risks!) than the computer of the Administrative Assistant may have.
Also, it is critical to understand your organization’s risk posture, where the risk might be, where your pain points are, what your security maturity is and where you would like it to be going forward.
Do you have specific compliance requirements you have to meet? Do you have past audit results that revealed certain security gaps you need to address?
Do not simply run a vulnerability scan and get the illusion to be secure after simply applying fixes. If you do, you’ve been warned!