Intrusive Penetration Testing is Penetration Testing where the risk of potential system impact or outage is not mitigated. For example, the Penetration Tester will not throttle their activity and may deliverability or through the intensity of their activity bring systems and services down. Effectively causing a ‘denial of service’ (DoS) condition. Intrusive penetration testing is most appropriate when you pen testers are targeted.
Non-intrusive penetration testing is where the penetration tester will actively mitigate any risks to systems or services they are targeting. They will take measures, such as throttling activity and performing extensive fingerprinting and reconnaissance prior to actively carrying out their pen test activities. Most organisations should opt for non-intrusive penetration testing, especially if any systems are considered production systems. Whilst there is always a risk with any form of penetration testing activity, risks are mitigated by using experienced penetration testers.
An intrusive vulnerability scan is a scan where there is no regard for system impact, performance, or potential outage. Typically, on an intrusive vulnerability scan, the configuration will be unthrottled and the vulnerability scanner will send as much traffic at the target/s as quickly as it can. Vulnerability checks or ‘plugins’ within the vulnerability scanner will all be run, even the ones that could potentially crash services or systems. An intrusive vulnerability scan will also usually confirm the presence of ‘denial of service’ (DoS) vulnerabilities by actively exploiting them, i.e., causing an actual DoS.
A non-intrusive vulnerability scan is a vulnerability scan where specific care is taken with the vulnerability scans configuration to ensure there is limited risk of system impact or outage. The vulnerability scan will only run ‘safe checks’, meaning checks that are unlikely to crash the target system or service. It will also not scan any ‘high risk’ devices, such as printers which are more prone to an outage during a vulnerability scan. The vulnerability scan will be throttled accordingly and monitored closely.
Most organisations should opt for non-intrusive vulnerability scanning. Often intrusive vulnerability scans are less effective overall and typically miss vulnerabilities due to the pace they are running at any impact they cause.
Intrusive vulnerability scanning is only ever appropriate in testing environments. Non-intrusive vulnerability scanning should always be used in production networks.
The length of time a vulnerability scan takes very much depends on what you are targeting and the vulnerability scan configuration. A scan of a single host could take a matter of minutes to many hours. However, to provide just one example, in a ‘typical’ best practice configuration targeted a single standard build of Windows Server the scan would take a few minutes to complete in most environments.
If you like this blog post, find more content in our Glossary.