What is the difference between a vulnerability scan and a penetration test (pentest)?

There's a lot of confusion between what a vulnerability scan does versus a pentest. With heightened cyber threats, these terms are popping up more and more in the media. Here's the lowdown on these two important cyber defense tools.

What is a vulnerability scan?

Vulnerabilities are flaws in software that can be exploited by hackers to gain access to your network or sensitive data including protected health information (PHI). Vulnerabilities can be in computer operating systems such as Microsoft Windows XP, 7, 8, 10 or Windows Server. They can be in commonly used software such as Microsoft Office, Adobe Acrobat, Google Chrome or any other software that may be installed on your servers, desktops, laptops and mobile devices. Vulnerabilities can also exist on hardware devices including network firewalls, switches, routers, printers, or any other device that is on the network.

Software and hardware vendors constantly release security patches that will remediate or eliminate vulnerabilities found in their products. Identifying vulnerabilities or flaws in a network gives you the opportunity to apply patches to the network that will eliminate security weaknesses. Your IT department or IT support vendor will use a vulnerability scan as a guide that explains which systems and software need to be patched or upgraded.

A vulnerability can also be an incorrectly applied setting that unintentionally allows access to software or a network. As an example, RDP (Remote Desktop Protocol) could be unknowingly enabled which would allow hackers to gain access to your network. We have seen several security incidents related to this issue.

So, in other words, a vulnerability scan and its associated remediation go a long way to keep hackers out of your network and can significantly increase the security of sensitive data and PHI. Many HIPAA data breaches have occurred when hackers exploited unpatched systems. For example, Anchorage Community Mental Health Services paid a fine and entered into a settlement agreement with HHS\/OCR because it did not patch its computers. You can read more about this here. All organizations, whether in healthcare or not, should perform vulnerability scans, especially in this day of increased cybersecurity risk.

Helping a customer at the server

How often should you do a vulnerability scan?

Vulnerability scans should be performed at least twice a year or immediately following any network upgrades or changes. Your IT vendor or internal IT department should be able to do this for you. If your internet IT department does not have the tools, please contact us at Next Century Technologies and we will be happy to work with them to get the scans completed and help with interpreting the results.

What is a pentest?

A pentest attempts to actively exploit the vulnerabilities in a system to determine whether unauthorized access or other malicious activity is possible. They can be performed from outside the network, over the internet, or inside the network to see how hackers can move laterally through the business network to access critical data and systems. A good pentest will also include social hacking which would involve phishing attacks and phone calls to get staff members to give up key information and/or access to their systems. Pentests are performed by cybersecurity experts and are very hands-on as they try their best to penetrate your network defenses and access key systems. A follow up report will be produced that outlines their successes and failures.

How often should you do a pentest?

This will vary widely by industry standards and regulations. If you have never done one, its a very intense test of your IT security. Its very specialized work, and most internal IT of smaller organizations won’t have the tools or knowledge necessary. If you are interested in a pentest, please contact us at Next Century Technologies and we will be happy to work with you to get tested and help with interpreting the results.

How does a vulnerability scan relate to HIPAA?

As part of the HIPAA Security Rule, HHS\/OCR states that “organizations must identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI.” Also, “Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as inappropriate access to or disclosure of ePHI.” Here is yet another example of where compliance with the HIPAA Security Rule is consistent with what your organization should already be doing to reduce cybersecurity risk.

Want more cybersecurity tips to help keep your business safe & secure? Sign up for our email newsletter and have new articles & tips delivered straight to your inbox monthly.

Posted in ,

Tracy Hardin

Tracy Hardin is President and founder of Next Century Technologies in Lexington, KY. She has a bachelor's degree in computer science from the University of Kentucky and has earned certifications from Novell, Cisco and CompTIA. Her specialties in the field of IT are network design and security, project management and improving productivity through technology. She loves helping people by sharing her knowledge of tech.