Deciding Between Vulnerability Scanning And Penetration Testing


My clients often confuse scanning and penetration testing. Organisations should be conducting both external vulnerability scans and penetration tests. If you are storing or transmitting data on the Internet, particularly sensitive data such as credit card details, then quarterly scanning is required to validate your PCI compliance. You also need to conduct a penetration test at least once a year. These are the minimum requirements to remain compliant; it is prudent to scan and test more often.

In order to ensure that your organisation’s Internet presence is secure you really need to be conducting external vulnerability scans and penetration tests. If you are storing or transmitting data on the Internet, particularly sensitive data such as credit card details, then quarterly scanning is required to validate your PCI compliance. You also need to conduct a penetration test at least once a year. These are the minimum requirements to remain compliant, it is prudent to scan and test more often.

Unfortunately there seems to be some confusion about the difference between a vulnerability scan and a penetration test.

What Is A Vulnerability Scan?

The purpose of a vulnerability scan is to identify potential vulnerabilities in your network. Someone with network experience will run a tool like Qualys, Nessus, Retina, or Internet Scanner. It will examine your firewalls, servers, applications, routers, and anything else that pertains to your network. The result is usually a large report that lists out all of the potential vulnerabilities that the scanning tool identified.

You’ll need to run a vulnerability scan at least once every quarter. If significant changes are made to your applications or network equipment that could introduce new vulnerabilities, then it’s important to scan immediately. It’s a good idea to have your staff run vulnerability scans continuously. While anyone with network experience can run a scanning tool, it takes some expertise to interpret the results correctly and divine the correct course of action to safeguard against potential threats.

What Is A Penetration Test?

Often using the information gathered by a vulnerability scan, a penetration test takes things to the next level. The purpose of a penetration test is to compromise devices on your network with vulnerabilities. It requires the use of sophisticated software like Metasploit, Canvas, or Core Impact.

Using exploits written by hackers and other penetration testers, the tester will attempt to breach your system architecture. The result is a report that details the method of attack, the exploit, and the value of the data exposed. It may also include false positives, where a breach didn’t result in data loss, and suggestions for how to address any problems found.

You’ll need to run a penetration test at least once a year. It requires a real expert to conduct a penetration test and use the tools correctly. If the tester is not properly qualified then there’s a real risk that they’ll leave something behind that compromises your system.

Penetration tests should always be run by outside agencies with a proven track record. You also need to engage a vendor that you trust and arm them with the information they need to understand your infrastructure. Don’t forget to put an NDA in place first.

The Comparative Cost

It’s worth bearing in mind that there is a significant cost difference between vulnerability scanning and penetration testing. You can have internal staff running vulnerability scans and there is a level of automation available with some software tools. Remember to factor your staff time into the cost and consider having an outside expert cast an eye over the reports to ensure nothing important is missed.

The scope of your testing, the methodology employed, and the qualifications of your chosen vendor will dictate the cost of penetration testing, but it is obviously a lot more expensive than vulnerability scanning. Be wary of receiving extremely low quotes for a penetration testing service because inadequate testing is going to leave you exposed to risk.

You want a concise report from a penetration test and you should make sure the provider is available to assist with remediation. You need to be sure that the suggested fixes have been implemented correctly and that any dangerous vulnerability has been eliminated.

Don’t Scrimp On Security

A sensible security strategy includes vulnerability scanning and penetration testing. It’s worth bearing in mind that the cost of a security breach will far outweigh the cost of penetration testing. Data loss in the real world can be difficult to detect and very expensive and time-consuming to fix. You also need to factor in the cost of any fines, potential damage to your reputation, and the loss of business that will result.


 By Michelle Drolet, founder and CEO, Towerwall
Special to Business Computing World


This article was recently published in Business Computing World.

Reminder: Please join us at the Information Security Summit 2014

Please save the date and plan to  join us for this timely forum on what you need to know about the latest security issues, threats, and technologies that will help you protect your business!


May 29, 2014  8:00AM – 1:00PM

MassBay Community College

50 Oakland Street  | Wellesley Hills, MA 02481

Early Bird Special: $35 (before March 1, 2014)

After March 1st: $45

Pre-registration required.


Join us for the 2nd Annual Information Security Summit and discover new ways to lead the creation of the secure digital enterprise!

Featured Topics:

  • User awareness and Training / Social Engineering
  • Cloud and security
  • APT’s (advanced persistent threats)
  • Secure mobile applications and BYOD
  • Risk management and compliance
  • Identity management

Click here for more information & to register!



Data Security Review Issue 2: Know the Threats


Welcome to Issue 2 of the Data Security Review

It seems that every time you turn around there is a new data security threat in the news, like Cryptolocker and Heartbleed. Our customers are always asking us how to identify the next “big” threat. Our answer is that you cannot keep up with the hackers, they have infinite time. A sound approach is to know your own network and where your critical data lies, then build the controls to protect that data. Vigilance is vital.

– Michelle Drolet, CEO



Read Issue 02 – Know the Threats




The Benefits of Cloud-Based Endpoint Security

The cloud computing revolution is well underway and there are lots of benefits to be realized. According to Awesome Cloud research the industry will be worth more than $150 billion this year, compared to $46 billion just six years ago. Mirroring the general trend for SaaS solutions, cloud-based IT security systems can be an ideal fit for smaller businesses, freeing them from internal IT overhead, cutting complexity, and providing scalability.

Here are five reasons that switching to a cloud-based endpoint security system makes sense for your business:

1. Best practices are built-in and settings are preconfigured

In the past you would have needed someone with specialized skills to configure a feature like HIPS (Host Intrusion Prevention System). Deploying and managing an IT security suite, ensuring that it meets your industry best practices, and configuring it correctly could be a real pain. Many companies are only using a fraction of the security features and functions that they are paying for simply because their IT staff is unable to manually configure the systems. Opt for a cloud-based product and it can be preconfigured to meet all of your needs and standards.

2. Internet security filtering is built-in

Over 90% of attacks originate on the Web, but with built-in security filtering to protect your users there’s no need to worry. There’s no individual firewall set-up or configuration for each device. A cloud-based endpoint solution can block infected websites and prevent malicious files from ever landing in your inbox. Remember that it only take one misconfigured firewall to compromise your security.

3. Consolidated Web filtering policy

Teams can be spread across the globe nowadays and it’s common for people to work on the road or from home. How do you spread your security shield wide enough to protect everyone? A cloud-based security system can integrate with your on-premise network gateway and ensure that the same level of protection is present wherever the user is logging on from. Your security policy is automatically enforced when a new connection is made, so there’s no need to backhaul traffic. The same PC security client communicates with the gateway on the corporate network or outside it, so it can eliminate redundant scanning and prevent legitimate traffic from being slowed down.

4. Licensing, management and reporting per user

You can scale a cloud-based solution to suit your business and only pay for the user licenses that you really need. This provides greater flexibility to scale your business up or down at short notice as required. With management tools you can also institute role-based access and ensure that users only have the access they need, regardless of the device they are logging in on. This provides a real boost to security and it offers oversight and an audit trail that you can examine should anything go wrong.

5. Automated client installation

Forget about sending your IT staff around desk by desk to install and configure the new software. All of that disruption can be avoided with a cloud-based solution that offers automated or user-initiated client installation and remote deployment. You can eliminate down time and reduce the risk of error.

The prospect of saving time and reducing complexity should be enough to put cloud-based IT security systems on your radar. Consider, also, that they can actually improve the user experience and enable secure remote working. We’re talking about a solution that’s easier to deploy and run than your current setup, a solution that offers up-to-the-minute protection from threats, a solution that delivers business agility. How can you pass that up?


By Michelle Drolet, founder and CEO, Towerwall
Special to Cloud Computing Journal

This article was recently published in Cloud Computing Journal