Why You Should Know the Difference Between Penetration Testing and Vulnerability Scans?

E. Stephen Lilly
First Community Bancshares, Inc
Member of the WVBankers Operations & IT Committee

With such emphasis being placed on cyber security and protection of systems and customer information, it is critical nowadays for executive management teams, boards of directors, audit committees, and technology steering committees to understand the significance and role of both penetration testing and vulnerability scans in order to adequately protect your institution’s networked systems.  Vulnerability scans and penetration tests are very different from each other; however, both are beneficial and complimentary system scanning techniques used to identify security weaknesses.  If you aren’t performing vulnerability scans and penetration testing in conjunction with one another, security weaknesses in your bank can go unnoticed and not be appropriately addressed, exposing your systems, information, and customers’ funds at risk. 

Vulnerability scans search systems for known vulnerabilities. These types of scans work by rapidly interrogating systems and services to determine types and versions of software and related services as compared against databases of known security and other systemic vulnerabilities.  Mis-matches between system and software configurations within your system are compared revealing what system patches, changes, or replacements need to be made. Vulnerability scans are limited, because they merely identify vulnerabilities and their severity but do not attempt to exploit them.

Penetration testing takes vulnerability scans much further.  This technique simulates what an intruder is able to do by exploiting flaws and configuration issues within your systems.  Penetration tests actually confirm whether identified vulnerabilities and flawed configurations, reflected primarily in vulnerability scans, are actually exploitable and threatening.  Additionally, properly conducted penetration tests also check for other poor security practices, such as inadequate administration of passwords and system credentialing processes.  Penetration tests are the best indicator of what damage could result from unwelcomed intrusions and inadequate vulnerability management.

Vulnerability scans and penetration tests go hand-in-hand in assessing your organization’s entire network security posture.   According to FFIEC Information Security Booklet, results from both vulnerability scans and penetration tests need to be tracked and reported regularly to IT and executive management regardless of whether systems are operated internally or outsourced.  The reporting should prioritize risks and findings in the order of importance, suggest options for remediation and mitigation, and highlight repeated issues. Additionally, reports should address root causes for identified vulnerabilities or weak security practices. The reporting should be directed to individuals with authority and responsibility to act on identified vulnerabilities and to those accountable for the outcomes, as well as those responsible for advising or influencing risk assessment decisions. Reporting should trigger appropriate, timely, and reliable escalation and response to vulnerabilities exceeding the bank’s risk appetite or thresholds. Summary reports should be made available to the board of directors or its designated committees as appropriate to reflect the IT security risk profile and the adequacy of the bank’s vulnerability management processes.

If your executive management team, board of directors, or a designated committee of the board of directors are not regularly assessing and evaluating network vulnerabilities and associated risks, you can expect harsh IT audit and regulatory criticisms.   Formalized vulnerability management programs are now expected regardless of how much outsourcing you have achieved with your bank’s IT network.  Refer to the FFIEC IT Examination Handbook’s Information Security Booklet for general guidance on how to improve your vulnerability management program.  Due to the technical complexity of this area, relying on outside consultation is also a consideration your management team should evaluate. Many banks, even larger ones, do not have the technical expertise on staff to execute and fulfill minimal regulatory guidance.  Obtaining a qualified third party to help you construct a reasonable and suitable vulnerability management framework will go a long way toward assuring your management team and board of directors the proper things are being done to adequately protect customer data and the bank’s systems.

Tags: General