What is the difference between a vulnerability scan and a penetration test?

---

A common question many client’s may ask, is what is the difference between a vulnerability scan and a penetration test? This blog post will go into addressing the similarities and differences of each activity.

What is a Vulnerability Scan?

A vulnerability scan is a thorough scan and assessment of a network or application. For the purposes of this article, we will assume the context of a client having an assessment of their external perimeter. That is, any assets that are exposed to the Internet that anyone in the world can access.

A vulnerability scan for a client’s external perimeter will generally include all of the IP addresses or FQDNs (Fully Qualified Domain Names) belonging to that client’s organization. This may include all sorts of assets such as the main marketing website, a VPN portal, a web application, and other various services. Lucid Security generally recommends including all assets during a vulnerability scan, especially critical systems. Once the hosts have been provided, it is now time to run the vulnerability scan. A popular vulnerability scanner is Tenable’s Nessus. The scan runtime will vary based on the amount of hosts included by the client, and the complexity of the services that may be running.

From here, the vulnerability scanner will generate a list of all of the potential vulnerabilities and security risks. This is where Lucid Security’s expertise comes into play. From here, our experienced Security Engineers parse through the results to determine the following:

• Is this a false positive?
• Is this truly a security risk?
• What is the true criticality of this vulnerability?

These are just a few questions Lucid Security considers when reviewing the results. At this point, Lucid Security will now compile a list of all of the vulnerabilities and their associated affected assets, and create a custom-tailored report for the client. This report will include the following:

• Complete list of all vulnerabilities.
• Associated criticality of each finding.
• A detailed remediation description to assist in fixing the issue.
• Supplemental information which is not provided by vulnerability scanners.

The report is then sent to the client securely.

---

What is a Penetration Test?

A penetration test has elements of a standard vulnerability scan, but takes it a step further. Again, we will be assuming the scenario is testing an organization’s external perimeter by conducting an external penetration test. A penetration test is a comprehensive assessment of an organizations assets, in this case provided again as IP addresses or FQDNs. The penetration test will have the following phases:

1. Scope verification – All assets provided by the client are rigorously verified as belonging to the client. While the scope provided to the client is generally accurate, it is always possible for a typo to be made or IP addresses to change from previous years assessments. This ensures that testing is true to the organizations intended hosts.
2. Open-Source Intelligence (OSINT) – In this phase, the security team scours the Internet for any potentially sensitive information which may aid in the assessment. This could be usernames, sensitive documents/files, etc.
3. Enumeration of assets – Here the security team begins to actively examine what is running on the hosts. The team will be looking for any open ports or services that can potentially be attacked.
4. Vulnerability Identification – One of the most important phases of an external penetration test is actually identifying the vulnerabilities which may exist. This is crucial for the remediation process for a client.
5. Exploitation – At this phase, the security team will attempt to exploit potential vulnerabilities. This is beneficial to demonstrate impact, as well as potentially uncover additional sensitive information which may aid in follow-on attacks.
6. Reporting – The reporting phase consists of gathering all of the identified vulnerabilities and information during the OSINT phase and ensuring that all the findings are accurate and have remediation steps to aid in fixing the issues. During the reporting phase, the reports are peer-reviewed by a Lucid Security engineer to ensure that all findings are addressed, and the remediation steps are accurate.
7. Debrief – The debrief is generally an 30 minute to an hour long call in which the security team will review the findings with the client. In this phase, the client can ask any questions, address any concerns, and get a detailed and comprehensive understanding of the findings.

Conclusion

While a vulnerability scan and a penetration test both attempt to identify vulnerabilities for a client, the biggest takeaway is that a penetration test goes a few steps further. Both are very important and recommended by Lucid Security to be conducted. Generally, a vulnerability scan should be conducted monthly or quarterly to monitor any new threats that may be introduced in the ever-changing security landscape. While a penetration test is generally recommended to be conducted annually or bi-annually.

How Lucid Security Can Help

Lucid Security has decades of hands-on security experience in vulnerability threat assessments and penetration testing. Our expert security engineers are ready to secure your networks and applications. Reach out today to get started!

External penetration tests often require organizations to safeguard their external perimeter against threats, whether for compliance, banking, or client requirements. However, it can be a daunting task which may have you wondering, “What can go wrong during a penetration test?”. This blog post examines the risks and will empower you to address these issues before kicking off an assessment.

Account Lockouts

Clients often worry about account lockouts during external penetration tests, although such incidents are rare. A proficient security team and penetration tester will consider this risk before each assessment. Lucid Security employs custom methodologies to prevent employee lockouts during assessments. Organizations with unique account lockout policies should inform the security team during kickoff calls to ensure appropriate measures are in place to prevent such issues.

Disruptions and Downtime

Related to account lockouts, disruptions and downtime also pose concerns during penetration tests. These often pertain to system or web application stability. A reputable penetration testing firm will not test for denial of service (DoS) vulnerabilities, as such tests offer little value and can hinder the discovery of other vulnerabilities by rendering the application or host unresponsive. Lucid Security reports potential DoS vulnerabilities without actively testing them to prevent client downtime.

Fear of the Unknown

Undergoing a penetration test can be daunting, particularly when organizations have invested heavily in infrastructure and data security. Lucid Security ensures clients feel comfortable by informing them about testing activities and providing clear, transparent results, embodying the clarity and transparency that is a core value of Lucid Security.

Conclusion

While external penetration tests can present several issues, a skilled security provider will anticipate and address these concerns, working closely with clients to mitigate risks.

Lucid Security’s Assistance

Lucid Security routinely conducts external penetration tests and services for various client sizes. Contact us today to discuss how we can help secure your network.

Lucid Security Engineers regularly encounter HTTP headers during web application or network penetration testing that reveal potentially sensitive information such as application architecture, server versions, or information about the underlying host system. These types of information disclosure vulnerabilities can be utilized by attackers to quickly determine vulnerable server versions and perform more targeted attacks. As a developer, system administrator, or IT manager you probably find these types of findings frustrating! Here’s how to remediate “HTTP Response Header Information Disclosure”:

Nginx

To remove the “Server” or “X-Powered-By” headers for a Nginx server, implement the following:

• In the nginx.conf file, set:
  “server_tokens off”
• In the case of a load balancer, remove the “Server” header from responses
• To completely remove the “Server” header, compile Nginx with the Headers More module and add:
  “more_clear_headers ‘Server’;”

References

https://serverfault.com/questions/214242/can-i-hide-all-server-os-info

https://github.com/openresty/headers-more-nginx-module#readme

Apache

Like Nginx, you can either rewrite the “Server” header value or add an additional module to completely remove it:

• Utilize the URL Rewrite module and configure an outbound rule to change the “Server” header value. This can also be set to a blank value.
• To completely remove the “Server” header, utilize the StripHeaders module to rewrite all HTTP response headers.

References

http://httpd.apache.org/docs/current/mod/mod_headers.html

IIS

Microsoft IIS makes removing HTTP headers pretty easy, with the notable exception of the “Server” header. Luckily we dug around and found a way to do this on Windows Server 2016, 2019 and newer.

• Open the web.config file in the root directory of the site, after <system.web> add:
  <httpRuntime enableVersionHeader="false" />
• To remove the “Server” header (Windows Server 2016/2019), configure requestFiltering in the web.config system.webServer node:

References

https://techcommunity.microsoft.com/t5/iis-support-blog/remove-unwanted-http-response-headers/ba-p/369710

https://www.ibm.com/support/pages/disabling-iis-web-banner-and-other-iis-headers

Conclusion

Fixing information disclosure issues can be painful, but we’re here to help. Hopefully this short post on how to remediate HTTP response header information disclosures was helpful. For up to 90 days after a penetration test, Lucid Security offers free retesting of discovered vulnerabilities. Reach out to us and schedule a security assessment today!

5 default M365 settings to change immediately.

Determining if you should whitelist your penetration testers IP addresses is an important step before an assessment.