By: Darren Hulem | Network Administrator Auditor

In the movies, hackers sit in front of a computer typing a few lines of code and suddenly they have access to all of the victim company’s systems. While cybercrime does not happen like it is portrayed in the movies, it has become a common theme in recent years affecting both large and small organizations. Some of the most notable organizations impacted by cybercrime and generating national attention include Uber, Yahoo, Equifax, the City of Atlanta, and most recently Marriott among others. Unfortunately, Verizon’s 2018 Data Breach report found that over half (58%) of security breaches now affect small organizations. Further, in their 2018 cyber readiness report, a cyber insurer for small businesses, Hiscox found the average cost of a cyber incident for a small business is $34,604, not including the possible loss of customers or donors. To mitigate the possibly of a cyber incident, organizations of every size are now conducting vulnerability scanning and penetration testing of their network to protect their data assets.

Vulnerability Scanning vs. Penetration Testing

While they are often confused and misunderstood, vulnerability scanning and penetration testing are both important for a strong security posture and should be utilized together. Most organizations run vulnerability scans on a much more frequent basis, while opting to run specialized penetration testing occasionally.

Utilizing software that accesses databases of known vulnerabilities, vulnerability scans identify possible weaknesses in the network before they can be exploited. Multiple vendors offer vulnerability scanning software packages, but the most effective ones update the database of known vulnerabilities frequently. Scans are performed both internally and externally, but only check for outdated versions of operating systems, insecure configuration settings and application security flaws. External scans are recommended on a quarterly basis and when new policies, configurations, or hardware are added or removed from the network.

By contract, penetration testing is an authorized, simulated attack on the network with the purpose of finding any vulnerabilities or weaknesses and exploiting them. This testing is most effective when conducted by an external party (vs. in-house IT support) because they have little or no prior knowledge of potential network weaknesses. While penetration testing cannot cover everything, it can be broken down into multiple categories. The three most important categories are discussed below.

Network testing covers a wide range of systems and devices. This can include testing a password policy using a database of commonly used passwords to determine if a user’s passwords can be easily compromised. If an organization has an intrusion detection system or intrusion prevention system, a penetration tester may also attempt to bypass detection. Another device that may be tested is the organization’s firewall. The penetration tester may scan to find any openings in the firewall due to out-of-date access lists or lists that were set up incorrectly. Organizations may also specify testing of a particular application such as an exchange or email server that connects through the network.

Web application testing evaluates the client’s website to determine whether any plug-ins, applets, or scriptlets may be exploited. A commonly performed web application test, cross-site scripting (XSS) uncovers whether an attacker has injected malicious script into a website. Penetration scanning professionals often witness this occurring with OneDrive. A potential victim receives a phishing email asking the user to log into their OneDrive account to view a file. Once the victim clicks the link and enters his or her credentials, the information is sent to the attacker who then sends the victim to their OneDrive account. In the end, the user does not realize there is a problem because he or she has been redirected to the intended site (OneDrive) after providing their username and password. Unfortunately, the damage is done.

Social testing covers dumpster diving, intimidation, and gaining physical access to the infrastructure. The most common testing involves phishing schemes designed by penetration testers to fool internal staff. These targeted campaigns test employees’ ability to determine legitimate emails from phishing, and allow management teams to determine whether the organization is at risk and what level of training is required.

Penetration testing is so highly specialized that no one software that can do it all. Therefore, penetration testers will use a variety of software to detect weaknesses and use that information to enter and exploit network. The high level of specialization required for penetration testing prompts many organizations to run testing far less frequently and opt for vulnerability scanning on a more frequent basis. Each organization is different, however, and management should consider a variety of factors to determine the right course of action to protect their network and data.

Vulnerability scanning and penetration testing work best when combined and included in the organization’s IT operating policies and procedures.  Although vulnerability scanning only is much more common for small- and medium-sized organizations, penetration testing is still recommended on a yearly basis. To identify specific risks within your organization, start with benchmarking your cybersecurity posture with a cost-effective Cybersecurity Scorecard.  For questions about vulnerability scanning, penetration testing, and cybersecurity best practices, contact Ricardo Trujillo, CPA, CITP, CISA, Partner at or 301-951-9090.