Better Together: How Pen Testing Helps Take Vulnerability Assessments to the Next Level

They don’t compete and they aren’t the same. But they are both invaluable to ferreting out and fixing problems within your security architecture. Vulnerability assessments and pen testing – contrary to popular belief – are two sides of the same coin.

What’s the difference? Typically, vulnerability scanning is a broader, automated endeavor, detecting a wide variety of vulnerabilities. A penetration test, or pen test, has a narrower scope, with security professionals investigating and attempting to exploit specific system vulnerabilities to see how and if they can do harm. When paired together, a vulnerability scan can identify vulnerabilities and a pen test determines if a potential vulnerability is truly exploitable and if it could lead to data compromise.

In other words, one augments the other. Penetration testing builds on the work of vulnerability management solutions, taking the next steps to evaluate the security of an IT environment and further prioritize risk. While this gives the general idea, let’s dive deeper to further understand how to leverage both in tandem to their maximum capability.

What’s in a Vulnerability Management Program?

Vulnerability management is the continual process of identifying, evaluating, reporting, managing, and then remediating IT infrastructure vulnerabilities. It is done in several parts:

• Identify
• Prioritize
• Assess
• Remediate
• Verify
• Report

And then, of course, identify all over again and begin the cycle afresh. In order to do this, several components need to be at play within a vulnerability management program.

A vulnerability assessment is a single point-in-time snapshot of network security. Vulnerability scanning is the automated process used to get your vulnerability assessment. It tells you the security status of devices attached to the network and can be run on an individual or enterprise-wide IP basis. While there are different types, to be effective, a scan must include all hardware, networks, and applications. Vulnerability scan types include:

• Internal
• External
• Authorized
• Unauthorized
• Comprehensive
• Limited

A vulnerability scan examines an environment, and upon completion, creates a report of the vulnerabilities uncovered. These scanners often list vulnerabilities using CVE identifiers.

Penetration testing, on the other hand, exploits security weaknesses to determine if these vulnerabilities are truly exploitable. Pen testers can use manual or automated technologies to systematically compromise servers, web applications, networks, and other potential points of exposure. Vulnerabilities may be exploited both to gain initial access and to incrementally achieve higher levels of security clearance and deeper access through privilege escalation. Information about any security vulnerabilities successfully exploited through penetration testing can be use to make strategic conclusions and prioritize related remediation efforts.

The process of vulnerability management is never ending so long as threats continue to proliferate and companies have valuable assets to protect. The best vulnerability management solutions are ongoing, constantly vetting and reporting and prioritizing whatever needs to get fixed next. Though less frequently deployed, pen testing solutions and services can play their own valuable role in vulnerability management.

Vulnerability Scans and Penetration Tests: The One-Two Punch

While vulnerability scans provide a valuable picture of what vulnerabilities are present, penetration tests can add further insight to that picture with additional context.

Together, both tools can tell you:

Which vulnerabilities to worry about | A pen test tells you if the vulnerabilities discovered could be leveraged to gain access within your environment. It’s one thing to know you have a weak spot – it's another to know how it would hold up to attack techniques. Designed to imitate the same tactics as cyber criminals, pen testers can help prove the criticality of each vulnerability, letting you know where you should focus your efforts first.

Which vulnerabilities are protected, and which are not | Some vulnerabilities might be more at-risk than others. For example, organizations often have compensating controls like firewalls, AV, Endpoint Detection and Response (EDR), or other data loss prevention tools in place that offset the risk of some of these vulnerabilities. Alternately, a CVE with a severe rating that can only be exploited with direct access to the machine, is not going to be an issue if physical access to it is highly controlled, like being in a server room with very limited access. On the other hand, organizations usually don’t have compensating controls in place for all vulnerabilities. Pen testing will find out which those are, and tell you before a malicious hacker does.

If low-score CVEs are actually dangerous | Pen testing can also help determine the risk associated with vulnerabilities with lower scores. On the surface, a vulnerability may not look that impactful, but if it can be leveraged, and used as a “pivot point” to reach other vulnerabilities or resources, it could have significant consequences on the organization. By layering your vulnerability scans with a penetration test, you can prioritize the risk associated with your vulnerabilities to better suit the needs of your organization. This allows for better remediation planning, since the focus is on what poses real risk, versus focusing on just the scores of the vulnerabilities.

If patches are applied properly | Critical vulnerabilities may also have a patch developed by the vendor that will fix the issue, as well. However, a patch may not be properly implemented, or the version of the software doesn’t change with the patch, so testing is valuable for determining if it is properly deployed and present. For instance, if a machine is not rebooted right away, a patch may be identified as being present by a vulnerability scanner, but it may not be working. A penetration test can determine the status of the patch.

Layering Vulnerability Management and Pen Testing Tools

Ultimately, though vulnerability scans and penetration tests are valuable on their own, they work even better together. Vulnerability scans provide consistent visibility into an organization’s environment, while penetration can provide additional context on which vulnerabilities are introducing real risk into your infrastructure.

In addition to more insights, time can be saved with vulnerability management and pen test tools that can be integrated to work together. Frontline Vulnerability Manager is the industry’s most comprehensive SaaS vulnerability management solution. Proprietary scanning technology gives you a thorough outlay of existing security gaps, and tracks results as you go – on premise, in the cloud, or both. Scans from Frontline Vulnerability Manager can be imported into Core Impact, an automated pen testing solution ideal for running advanced penetration tests with ease.

Core Impact can take imported scan data from Frontline and automatically validate vulnerabilities to determine if any of them can be exploited and identify what business-critical assets and data can be accessed through that exploit. By combining these tools, organizations get the security essentials needed to proactively protect their networks, gaining real-world risk context that can intelligently guide plans for remediation.