Penetration Testing and Vulnerability Scans Are Essential Cybersecurity Tools
By Richard Osborne
Monday, November 28, 2022 | Comments

In terms of cybersecurity, every organization exists in a zero-trust environment. Cyberattackers are clever, motivated, and relentless. That means the threats will continue to evolve at warp speed and a potential attack is just around the corner if the organization fails to be ever vigilant. 

So, how does an organization remain ever vigilant? Penetration testing smart is a big part of the answer. 

Many, if not most, organizations think that all they need is a strong firewall to keep cyberattackers out of their networks and systems. It’s a logical way to think — but it’s completely wrong. Cyberattackers have an annoying habit of breaching firewalls, which only address the external environment.  

Consequently, organizations need a way to protect their internal environments — once inside, cyberattackers can navigate laterally, for months at a time, looking for all sorts of vulnerabilities that can be exploited for fun and profit. Even scarier is that they potentially could become a system administrator, enabling a cyberattacker to take control of every device operating on the network.  

Often a penetration happens as a byproduct of a seemingly benign interaction. Throughout the day, all of us communicate with various websites for various reasons, and data is transmitted continuously. However, if a cyberattacker has compromised the website with which your computer is interacting, you now have unwittingly opened a tunnel into your organization’s networks and systems — and no firewall, no matter how sophisticated, is going to prevent that from happening. 

That’s where penetration testing comes into play. It involves discovering the systems that comprise the organization’s communications network and all of the devices that operate on those systems. Once that knowledge is gained, penetration testing then is used to identify all of the vulnerabilities that exist in the overall network, each system, and each device.  

A penetration test simulates how a cyberattacker might gain access to the network environment and what will happen to systems and devices afterward. A thorough penetration test should be conducted at least annually, though quarterly would be better. 

A typical example of a penetration test is to stage a faux phishing exercise by sending an email to your personnel that contains a fake malware attachment.  Use a different domain name to identify the test. Then watch what happens, i.e., how many people open the email – which is bad enough – but then open the attachment, thinking that a colleague had sent it, which is even worse. Spoiler alert: this type of penetration test works every time. But armed with this evidence, the organization can do something about it. 

Establishing an effective cybersecurity posture is like cooking a delicious stew. A stew has multiple ingredients, and if any of them are missing, the stew isn’t as good — imagine leaving the beef out of a beef stew. Cybersecurity requires continuous network and system monitoring, penetration testing, vulnerability scanning, improved policies and procedures — especially regarding passcode/passphrase management and multifactor authentication — configuration management, and more.   

But while penetration tests and vulnerability scans sound very similar, they are not.  

What’s the difference? 

Penetration tests first are used to discover the systems that comprise the organization’s communications network and the devices that operate on those systems. Once that knowledge is gained, penetration tests are used to identify the vulnerabilities in the overall network, each system, and each device that would enable a cyberattacker to access the environment and then create havoc by exploiting those vulnerabilities.  

Penetration tests are critical to every organization’s cybersecurity posture. So too, are vulnerability scans. But while penetration tests and vulnerability scans sound similar, they are quite different.  

Penetration tests simulate how a cyberattacker might gain access to the network environment and then what will happen to systems and devices afterward. Such tests are done manually and should be conducted quarterly, annually at a minimum. In contrast, vulnerability scans are automated processes that dive more deeply into the identified vulnerabilities to better understand why they exist — such understanding is the key to eliminating each vulnerability.  

For example, vulnerability scans can be used to discern whether patch management is being conducted regularly, firewalls are configured correctly, or devices and applications exist that shouldn’t. Vulnerability scans work hand in hand with penetration tests. In fact, nearly every penetration test we’ve conducted has resulted in our advising the client to follow up with a vulnerability scan — which enables the organization to analyze what it learned from the penetration test.  

Here's a way to think about the differences between penetration tests and vulnerability scans: a burglar will case a home to determine how to enter it and how easy it will be. The burglar will check for unlocked windows and doors and whether the house has an alarm system or security cameras — that’s a penetration test. Once inside, the burglar will move from room to room to see where the most significant opportunities for mischief exist — that’s a vulnerability scan.   

Unfortunately, we often see that once a penetration test is completed, the report sits on a shelf or desk, never to be opened. The more critical aspect of this due-diligence exercise — the vulnerability scan — never is conducted. That’s a big mistake. Vulnerability scans should be performed every week to make it as difficult as possible for cyberattackers to do what they do. Cyberattackers constantly evolve their tactics, and new devices and applications continually are added to systems, increasing cybersecurity vulnerabilities. This becomes exponentially more vexing whenever known vulnerabilities in commonly used platforms and applications are spread widely throughout the cyberattacker community.  

Even when vulnerability scans are conducted, the organization often needs more cybersecurity and information technology (IT) resources required to understand the findings and then craft suitable strategies for addressing them. This is particularly true of smaller organizations and those in the public sector, which traditionally have struggled to compete with private-sector organizations for such resources. In such cases, outsourcing such activities to a third party with considerable cybersecurity expertise is a sound strategy. 

Richard Osborne is director of commercial services for Mission Critical Partners, a firm that provides consulting, management, and cybersecurity solutions to public-sector organizations. Email him at 

Post a comment
Name: *
Email: *
Title: *
Comment: *


No Comments Submitted Yet

Be the first by using the form above to submit a comment!


March 2023

27 - 30
International Wireless Communications Expo (IWCE) 2023
Las Vegas

May 2023

23 - 25
Critical Communications World (CCW)
Helsinki, Finland

More Events >
White Papers
More White Papers >

Site Navigation