We are constantly confronted with news of cyberattacks, which cause profound damage to organizations by making confidential information available on the web. The damage caused in an organization can be financial, such as the payment of a ransom; functional, when they directly affect the production and response capacity; or reputational, when it affects the organization's reputation and integrity.
To prevent cyberattacks, organizations seek to identify their vulnerabilities, correct them, and become more secure. Vulnerability detection can be done through a Vulnerability Scan or Pentest.
Vulnerability Scan or Vulnerability Assessment uses tools that automate the search for known vulnerabilities in the configuration of a system.
There is an Internal and External Vulnerability Scan. External Vulnerability Scan can be run by the organization outside the perimeter of its network, to determine exposure to attacks from servers and applications that can be accessed directly over the Internet.
Internal Vulnerability Scan aims to identify flaws that hackers can exploit to move laterally to different systems and servers if they gain access to the local network.
Any Vulnerability Scan program should begin with mapping and inventory of an organization's systems and classification of their importance based on the access they provide and the data they have.
The Information System is scanned to determine whether security settings have been activated and applied properly and whether applicable patches have been installed.
Vulnerability Scan does not exploit the vulnerabilities, instead, it identifies them and does not simulate a real attack, creating false positives.
The focus is on finding vulnerabilities other than understanding the true gravity of each one.
Pentest is the short form of Penetration Testing, which can be performed externally or internally.
External Pentest refers to any attack using procedures carried out outside the organization (Internet). The main objective is to find out if an external attacker can access the resources of the organization's Information System, how far it can go, and what damage it can cause.
Internal Pentest is carried out through the organization, based on the simulation of attacks carried out by valid users with standard access privileges within the organization or by third parties.
In both cases, Pentest is an attack simulation that aims to validate the effectiveness of security controls/mechanisms in each environment (scope).
Pentest identifies the risks that may arise from exploiting the vulnerabilities found, through the injection of computer incidents.
Unlike what happens in Vulnerability Scan, Pentest has a manual testing process component that allows you to go deeper and be more objective, concerning the consequences that the malicious exploitation of a particular finding can cause. Pentest's focus, when detecting vulnerability for specific purposes, is to know if a hacker has the potential to exploit the situation and take control over the system.
The use of Pentest is not recommended in the case of organizations with no ISMS implementation or initial state. In this case, the cost is highly high concerning the benefits and the report will not introduce relevant information.
It is important to remember that Vulnerability Scan and Pentest complement each other. Although they are different processes, they share the goal of identifying and assessing an organization's security vulnerabilities. The Vulnerability Scan is part of an automatic process, which is based on a database of known vulnerabilities, such as CVE / NVD, but does not normally include the exploitation of identified flaws.
Pentest is a more complex process that includes manual probing and exploitation by security professionals, to simulate what a hacker would do. The addition of manual techniques to the automatic system makes it possible to reduce “false positives” and have a more accurate assessment of the risk represented by different vulnerabilities.