Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

How Vulnerability Scanning Is Used for Penetration Testing

By the time a data breach occurs, it may be too late to measure the effectiveness of your vulnerability management program. Penetration testing can help detect weaknesses – before threat actors do. Here’s how to get started.

Looking to proactively measure the effectiveness of your vulnerability management program? How can you assess the strengths and weaknesses of your program before a data breach occurs? 

Penetration testing – of which vulnerability scanning is a key component – can help your organization find weaknesses, allowing you to resolve them before threat actors can exploit them. 

Gauge your vulnerability assessment maturity

If you’re unsure of the maturity of your vulnerability assessment and management program, check out this short What’s Your Cyber Defender Style? quiz to see how your organization’s cybersecurity practices rank. You can also get more information about the maturity of your organization’s vulnerability assessment practices in the Cyber Defender Strategies report.

Before delving into the critical role vulnerability scanning plays within penetration testing, let’s define its purpose and how it differs from vulnerability management and assessment.

What is penetration testing?

Penetration testing is a stand-alone activity, often repeated quarterly or annually by a third party. The primary objective is to provide organizations with independent insight into the effectiveness of their vulnerability assessment and management processes. 

Penetration tests generally consist of five phases: 

  1. Initial engagement: Selecting a firm to conduct the penetration test and outlining goals and expectations
  2. Scoping: Establishing the targets, methodology and boundaries for the test
  3. Testing: Conducting the penetration test based on agreed-upon parameters
  4. Reporting: Reviewing the findings from the penetration test
  5. Follow-up: Tracking remediation progress and retesting

Tip: During the scoping phase, it’s best to share results from your organization's vulnerability management program, so the third-party penetration tester has a baseline to draw accurate conclusions on the efficacy of your program.

The difference between penetration testing and vulnerability management

Penetration testing sheds light on whether the vulnerability assessment and management program is working correctly and indicates areas of improvement. For example, the penetration test provides a point-in-time view of whether environments contain known vulnerabilities. Vulnerability management, on the other hand, is ongoing and continuous. 

The organization’s cybersecurity operations team is responsible for vulnerability management. They inform, drive, prioritize and verify vulnerability remediation for an organization. For this reason, the security team should perform vulnerability scans as frequently as operationally possible because the list of known vulnerabilities changes from day to day, as does their threat level.

Where does vulnerability scanning fit in?

During the testing phase of a penetration test, depending on the scope, the tester will perform vulnerability scans across an organization’s entire attack surface or a specifically targeted subset. The latter could include, but is not limited to: external networks, internal networks, cloud assets, web applications, IoT and/or OT. 

These tests take two primary approaches: 

  1. Blackbox testing, where no information is shared with the tester
  2. Whitebox testing, where all information about the target is shared with the tester

Nessus Professional, the most widely used vulnerability scanner in the world, can assist with both of these test types as it provides out-of-the-box templates for both credentialed and non-credentialed scanning.

Vulnerability scanning in blackbox testing

When scanning for vulnerabilities as part of blackbox testing, network sweeps are typically performed using Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP) or address resolution protocol (ARP) pings without the use of credentials. Once an asset is discovered, the scan will query any open network ports on the device to collect: 

  • Operating system information about the device
  • The network services running on the device
  • The network-based vulnerabilities on the device

This information is then used to determine the vulnerabilities that reside on the target that may be susceptible to remote exploitation, which is particularly problematic for assets on an external network.

Vulnerability scanning in whitebox testing

Vulnerability scanning during whitebox testing is usually a lot more targeted, as all the information about the target is already known. This vulnerability scan would typically be performed using a credentialed vulnerability and configuration scan, whereby the scanner would remotely log in to an asset and assess any vulnerabilities or configurations that may be susceptible to exploitation with both local and remote attacks.

How can Nessus Professional help with penetration testing?

Nessus Professional has built-in templates you can use to perform both blackbox and whitebox tests quickly and easily. These templates enable credentialed, non-credentialed and configuration scanning, which support several compliance frameworks: CIS, HIPAA, DISA STIG and many others. 

Tailor templates to suit the required level of testing

You can customize the templates to suit the level of testing required. For instance, you can set your preference to avoid false positives or false negatives. 

To avoid false positives, Nessus Professional, by default, will only report vulnerabilities that it can confirm exist. During a penetration test, this may not be the desired output. Instead, the penetration tester may want to collect information on all possible vulnerabilities and then perform manual testing to eliminate any false positives within the results. 

Also, Nessus Professional, by default, is configured to only perform safe checks, which means the scans carried out as part of the penetration test will cause no damage or downtime to the targets. The data collected during the vulnerability scans can easily be exported to assist the penetration tester in building their report using metrics like CVSS to help the organization understand the criticality of the findings.

The data collected during these tests can also be used to drive other key aspects of penetration testing. For instance, during a testing scenario, the data that has been collected can be used to map out cyberattack paths, including: 

  • How an attack could breach an organization’s network
  • How a breach could traverse the network once inside
  • What key assets could be exploited – and the level of data loss that may occur

In turn, the scenarios can then be used to: 1) inform the organization where their weaknesses lie and 2) perform simulated, non-damaging attacks on the organization’s environment to test out their defenses and responses to such an attack. 

Get more information

Find out how Nessus Professional can help with penetration testing.

Start your free trial now

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training