Product
System & Network Scanning
Find vulnerabilities in your entire infrastructure.
Web Application Scanning
Find vulnerabilities in your web apps and APIs.
Phishing & Awareness Training
Increase resilience against social engineering.
Business needs
Industries
Information
Partner solutions
Europe
Asia
CLOSE
Alok Sahay,
Sales Director, India
alok.sahay@holmsecurity.com
+91 8800-67 77 99
Hi! My name is Alok and I'm your local representative in India. Looking for a cyber security solution and vulnerability management? Let's talk!
CLOSE
Stefan Thelberg,
CEO, Sweden
stefan.thelberg@holmsecurity.
+46 (0)739-99 33 12
Vi tilbyr den mest effektive metoden for å se og forstå hvor trygt hele IT-miljøet ditt er mot eksterne trusler.
CLOSE
Ahmad Faurani
Sales Director, Southeast Asia
ahmad.faurani@holmsecurity.com
+60 19 434 2727
Hi! My name is Ahmad Faurani and I'm your local representative in Malaysia. Looking for a cyber security solution and vulnerability management? Let's talk!
CLOSE
Cristian Miranda
Key Account Manager, Finland
cristian.miranda@holmsecurity.com
+46 8-550 05 582
Hei! Nimeni on Cristian Miranda ja olen paikallinen edustajasi Suomessa. Etsitkö tietoturvaratkaisua ja haavoittuvuuksien hallintaa? Puhutaan!
CLOSE
Victor Bunge Meyer
Key Account Manager, Sverige
victor.bunge-meyer@holmsecurity.com
+46 08-550 05 582
Välkommen till Holm Security i Sverige! Jag heter Victor och är din lokala kontakt. Kontakta mig om du vill veta mera om vårt system eller sårbarhetsanalyser.
CLOSE
Beth Murrell
Sales Development Representative, Benelux
elizabeth.murrell@holmsecurity.com
+31-20-238 63 94
Mijn naam is Beth Murrell en ik ben uw lokale vertegenwoordiger in Nederland, België en Luxemburg. Op zoek naar een cyberveiligheidsoplossing en kwetsbaarheidsbeheer? Laten we praten!
January 27, 2021
What is what and how are these two methods used together? Holm Security explains the methods. Vulnerability management and penetration testing are both very important methods to maintain a high level of IT security in your organization. But when should you use which method and what are the differences and benefits? It’s not easy to differentiate these methods and know what should be done and when.
As digitization expands, our IT environments keep on growing and are becoming more and more complex. At the same time exposure to different types of vulnerabilities increases. To detect and fix these before they are used by an attacker, regular checks and tests are required. Two methods that serve important functions in a variety of ways to protect your systems are vulnerability management and penetration testing.
Vulnerability management , or vulnerability scans, are automated and continuous scans that identify and classify vulnerabilities in servers, computers, networks, and applications. This is done by matching different systems against known vulnerabilities. The most common vulnerability that is found is outdated systems. In a small IT environment, it may seem quite easy to ensure that all systems are up to date, but in larger environments with hundreds, or maybe thousands of systems, it is a significantly bigger challenge. An advantage of a vulnerability management is that it is done entirely objectively and without any personal preferences.
It’s common to say that vulnerability management has two different scan levels:
In most cases, the implementation of these levels is done in two steps. First unauthorized scans and then authenticated. The reason for this methodology is that from a security point of view, it is of higher priority to solve vulnerabilities that can be exploited only through external access to a system.
Unauthenticated scans are scans done from the internet or through locally installed scanners. No login or agent is required for this method. These types of scans are important because they find vulnerabilities that a hacker would use to get into your system.
Scans of this kind should be done as often as possible since hundreds of new vulnerabilities appear every week. A common frequency is weekly scans. However, on-demand scans should also be made when major changes are made in the system and before new systems are deployed.
Authenticated scans are performed by allowing the scanner to access the system as a privileged user. This allows the scanner to get more in-depth information and detect more threats from within, such as weak passwords, malicious software, installed applications, and configuration issues. The method can simulate what damage a system user with specific privileges could cause.
A penetration test, or pentest, is performed by one or several persons with extensive knowledge of IT security. This type of person is often called a penetration tester. A penetration tester is usually hired as a consultant to provide a more objective management of the environment. The penetration tester usually uses a variety of tools to find and test systems for vulnerabilities. The penetration tester also has greater adaptability than the vulnerability management performed by a computer. Often, a first step in the penetration test process is a vulnerability management scanning.
Penetration tests are usually not performed as often as vulnerability management, but should be done annually, or more frequently. Just as for vulnerability management, when doing changes in your IT environment, such as releasing a sensitivity system, additional penetration testing efforts might be needed.
When hiring a penetration tester, it is important to ask for practical experience, especially experiences from similar environments and the ability to think and act from an attacker's perspective. It is also important that the person is very careful, accurate, and has good communication skills so that you get a full understanding of the results and needed actions.
A common problem with penetration tests is that the follow-up and that required actions are down-prioritized by the organization, as soon as the penetration tester has finished the assignment. This is also why continuous and automated vulnerability management is important. They complement the penetration testing and ensure that vulnerabilities are being detected frequent and over time.
Area: |
Vulnerability management: |
Penetration testing: |
Method |
Performed automatically and continuously. |
Performed by an IT security specialist, usually a consultant. |
Frequency |
Weekly or daily depending on how sensitive the system is. Sometimes lighter scans are done more frequent and in-depth scans are done less frequent, like monthly. |
Once or twice a year and in connection to significant changes in your IT environment. |
Reports |
Provides a comprehensive overview of which vulnerabilities that exists and how the overall development looks since the last report. Reports for both technicians and management. |
Provide you with detailed information about what information is being compromised and what security measures you need to take. |
Focus |
Detects known vulnerabilities that might be exploited. |
Detects unknown vulnerabilities. |
Target |
Detects vulnerabilities and helps you fix these before an attacker does. |
|
Advantage |
Provides a lot of insight and overview of IT security with effort and to a low cost. |
A penetration tester, in comparison to an automated system, is able to draw conclusions and analyse systems in a methodically manner. |
Get a demo of our award-winning platform!
Read more articles similar to this one.
Security Tips & Tricks
Vulnerability Assessment
More than 70% of all organizations outsource their IT to a greater or lesser extent and it’s continuously increasing. Outsourcing gives many...
Vulnerability Management
Vulnerability Assessment
Holm Security’s security team is working hard to detect new vulnerabilities in widely used CMS systems. Many of our customers use Episerver, where...
Vulnerability Assessment
Vulnerability assessment or vulnerability management can be described as looking for unlocked doors, bad code, open ports, or holes in a system’s...