While many inaccurately use vulnerability scans or vulnerability assessments as terms that are synonymous with penetration tests, others explain the differences as though you have to choose between the two. Vulnerability assessments are tools that search for and report on what known vulnerabilities are present in an organization’s IT infrastructure. Penetration tests, on the other hand, as they relate to vulnerability assessments, are conducted by testers who investigate if the vulnerability can be exploited, and the severity of that potential harm. Pen testing can make vulnerability assessments more valuable by identifying the likelihood a vulnerability can be compromised, as well as any associated risk if it is exploited. This provides vulnerability program managers a way to prioritize and manage risk more effectively.
Vulnerability Scans, CVEs, and the CVSS
There are many different vulnerability scanners to choose from—Burp Suite Professional, Nessus, and Qualys, to name a few. While there are distinct differences between them, in general, vulnerability scanners are relatively straightforward: they examine an environment, and upon completion, create a report of the vulnerabilities uncovered. These scanners often list these vulnerabilities using CVE identifiers.
The Common Vulnerabilities and Exposures (CVE) system is a reference list providing an id number, description, and instance of known vulnerabilities. The CVE system has become the standard method for classifying vulnerabilities, used by the U.S. National Vulnerability Database (NVD) and other databases around the globe. For instance, the well-known Microsoft vulnerability, BlueKeep, is known as CVE-2019-0708.
These CVEs are also given a rating using the Common Vulnerability Scoring System (CVSS) to distinguish how severe these vulnerabilities are on a scale of 0-10, calculated using six metrics: access vector, attack complexity, authentication, confidentiality, integrity, and availability. Vulnerabilities on the lowest end of the spectrum typically have a very low risk of impacting the system. On the high end of the spectrum, the risk is deemed to be much larger for a variety of reasons. The BlueKeep vulnerability, for example, is ranked at 10.0, as it allows remote code execution, permitting an attacker to gain access no matter where the device is located.
When a vulnerability scanner produces a report, with the assistance of these descriptions and scores, it should be easy to identify what vulnerabilities to focus on, right? Unfortunately, it’s not quite so simple. Scanners can uncover thousands of vulnerabilities, so there may be enough severe vulnerabilities that further prioritization is needed. Additionally, these scores do not account for the circumstances of each individual IT environment. This is where penetration tests can help.
Vulnerability Management Augmented with Penetration Tests
While vulnerability scans provide a valuable picture of what vulnerabilities are present, penetration tests can add further insight to this picture with additional context, by seeing if these vulnerabilities could be leveraged to gain access within your environment. Organizations often have compensating controls like firewalls, AV, Endpoint Detection and Response (EDR), or other data loss prevention tools in place that offset the risk of some of these vulnerabilities. Alternately, a CVE with a severe rating that can only be exploited with direct access to the machine, is not going to be an issue if physical access to it is highly controlled, like being in a server room with very limited access.
On the other hand, organizations usually don’t have compensating controls in place for all vulnerabilities. Pen testing helps determine if compensating controls are in place and working effectively.
Pen testing can also help determine the risk associated with vulnerabilities with lower scores. On the surface, a vulnerability may not look that impactful, but if it can be leveraged, and used as a “pivot point” to reach other vulnerabilities or resources, it could have significant consequences on the organization. By supplementing your vulnerability scans with a penetration test, you can prioritize the risk associated with your vulnerabilities to better suit the needs of your organization. This allows for better remediation planning, since the focus is on what poses real risk, versus focusing on just the scores of the vulnerabilities.
Critical vulnerabilities may also have a patch developed by the vendor that will fix the issue, as well. However, a patch may not be properly implemented, or the version of the software doesn’t change with the patch, so testing is valuable in determining if it is properly deployed and present. For instance, a machine may not be rebooted right away, for a variety of reasons, so while the patch is identified as being present by a vulnerability scanner, it may not be working. A penetration test can determine the status of the patch. BlueKeep has the potential to be a particularly destructive example of this issue. Though a patch has been created and released, there are continued reports of it being exploited for cryptojacking, just as NotPetya had a patch available but still cost millions in ransomware attacks.
In addition to more insights, time can be saved with vulnerability scans and pen test tools that can be integrated to work together. Core Impact can import data from most vulnerability scanners, so you can rapidly evaluate a scan's output and provide a prioritized remediation plan of your system's weaknesses based on real-world risk. While vulnerability scans are valuable on their own, augmenting with penetration testing maximizes their effectiveness, ensuring that you remediate not just severe vulnerabilities, but vulnerabilities that are introducing significant risk into your infrastructure.