Penetration Testing vs. Vulnerability Scanning: Know the Difference

Threat Intelligence

Penetration Testing vs. Vulnerability Scanning: Know the Difference

The FTC Safeguards Rule does not leave testing to your imagination. Under 16 CFR 314.4(d)(2), financial institutions that do not employ continuous monitoring must conduct both annual penetration testing and vulnerability assessments at least every six months. These are not interchangeable activities. They serve fundamentally different purposes, and the FTC expects evidence of both.

What the Rule Actually Says

The exact regulatory language of 16 CFR 314.4(d)(2) states that, absent effective continuous monitoring, you must conduct:

  • (i) Annual penetration testing of your information systems determined each given year based on relevant identified risks in accordance with the risk assessment
  • (ii) Vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities, at least every six months; and whenever there are material changes to your operations or business arrangements; and whenever there are circumstances you know or have reason to know may have a material impact on your information security program

Note the important qualifier: institutions maintaining information on fewer than 5,000 consumers are exempt from the specific testing frequencies under 16 CFR 314.6, though they must still perform general monitoring under 314.4(d)(1). Most dealerships handling consumer financing will exceed the 5,000 threshold quickly.

The Vulnerability Scan: Your Automated Sentry

A vulnerability scan is an automated tool that checks your systems against a database of known weaknesses, such as missing patches, outdated software, and misconfigured services. It tells you what is broken.

A compliant vulnerability assessment should include:

  • Authenticated scans that log into systems to check internal configurations, not just external-facing ports. Unauthenticated scans miss roughly 40-60% of vulnerabilities because they cannot see what is running behind the login screen.
  • Full scope coverage of all information systems identified in your risk assessment, including workstations, servers, network devices, and cloud services.
  • Both internal and external scanning to catch threats from inside and outside your network perimeter.
  • Remediation tracking showing what was found, when it was fixed, and verification that the fix worked.

The Penetration Test: The Simulated Attack

A penetration test is a human-led attack simulation conducted by a qualified security professional. Where a scan checks for known weaknesses, a pentester thinks like an attacker, chaining together multiple small issues to achieve a significant breach. It tells you how a hacker would actually hurt you.

Common penetration testing methodologies used in dealership environments include:

  • External Network Testing: Probing your internet-facing systems for exploitable entry points, including firewalls, VPN concentrators, and web applications.
  • Internal Network Testing: Simulating an attacker who has already gained a foothold inside your network, or a malicious insider. This is where testers look for lateral movement paths to your DMS and financial data.
  • Web Application Testing: Assessing customer-facing portals, credit application forms, and service scheduling systems for injection flaws, authentication bypasses, and data exposure.
  • Social Engineering: Testing whether your employees will click phishing links, hand over credentials, or allow physical access to restricted areas.

The FTC does not prescribe a specific methodology, but industry-standard frameworks like NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) and the PTES (Penetration Testing Execution Standard) are commonly referenced.

Common Findings at Auto Dealerships

After conducting penetration tests across the auto industry, certain patterns emerge repeatedly:

  • Open RDP (Remote Desktop Protocol): Technicians and vendors connect remotely to DMS servers with RDP exposed directly to the internet, often with weak or default credentials.
  • Unpatched DMS Workstations: The systems running your Dealer Management System are frequently running outdated operating systems or missing critical security patches because “we cannot take the DMS offline.”
  • Weak F&I Workstation Credentials: Finance managers sharing passwords, using simple PINs, or operating without MFA on systems that access Social Security numbers, credit reports, and bank account details.
  • Flat Network Architecture: No segmentation between the showroom Wi-Fi, the service bay diagnostics network, and the F&I systems holding sensitive customer data. An attacker on the guest Wi-Fi can reach the credit application server.
  • Default Credentials on Network Devices: Printers, security cameras, and network switches still using factory-set passwords, providing easy pivot points for attackers.

What the FTC Expects During an Audit

If the FTC comes knocking, you need to produce:

1. Dated penetration test reports showing scope, methodology, findings, and severity ratings for at least the current and prior year.

2. Vulnerability scan reports for every six-month period, showing scan dates, systems covered, vulnerabilities identified, and CVSS severity scores.

3. Remediation documentation proving that identified vulnerabilities were addressed, including timelines and verification scans.

4. Evidence that testing scope was driven by your risk assessment, not just a random sample of systems.

A one-page summary letter from your provider saying “you passed” is not sufficient. The FTC wants the raw findings, the remediation plan, and proof of follow-through.

What to Expect From a Qualified Provider

A legitimate penetration test for a typical single-rooftop dealership generally runs between $5,000 and $15,000 depending on scope, number of IP addresses, and whether social engineering is included. Multi-rooftop dealer groups should expect higher costs proportional to their network complexity. Vulnerability scanning services typically run $1,000 to $5,000 per assessment cycle, depending on the number of systems.

Be wary of providers offering “penetration tests” for $500. What you are getting at that price is an automated vulnerability scan with a different label, and the FTC will not accept it as a substitute for the real thing.

At FTCSafeguards, we provide National Security Grade penetration testing that goes beyond the automated tools. We find the holes that the scanners miss, and we deliver the documentation you need to prove compliance when it matters most.

Scott Sailors
Scott Sailorshttps://www.hiredhackers.com
Principal Security Consultant with over 20 years of experience in security architecture, engineering, and executive leadership. Holds CISSP, OSCP, CISM, CRISC, Master's and Bachelor's degrees in Cybersecurity with expertise bridging technical teams and senior management to communicate complex security challenges in actionable terms.

Latest articles

Previous article
MITRE D3FEND: A Practical Guide to Mapping and Strengthening Your Cyber Defenses
Next article
Building an Effective Purple Team Program from Scratch

Related articles