The most common question when evaluating which solution is the best fit for your organization is:
" What's the difference between a vulnerability assessment and penetration assessment? "
The two are often incorrectly used interchangeably due to marketing hype and other influences which has often created much confusion.
With that in mind, I’d like to try to clarify the distinctions between vulnerability assessments and pen tests and hopefully eliminate some of the confusion.
From our perspective, a Vulnerability Assessment, deploys an automated tool which scans the IT infrastructure and reports the results. The tool's job is to identify all systems and the associated applications and services they are running. Based on this information, the tool attempts to identify issues such as missing patches, default passwords, and known exploits. All the problems the tool has identified are then presented in a vulnerability assessment report.
It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them.
"vulnerability assessments are most often confused with penetration tests and often used interchangeably, but they are worlds apart."
A Penetration Assessment simulates a real-world attacker which takes actions on the external and/or internal systems that aim to breach the information security of the organization. Using many tools and techniques, the penetration tester aka "ethical hacker", attempts to exploit critical systems and gain access and/or administrative control to sensitive data.
This assessment typically uses vulnerability scanning as well as other manual proprietary methods tools to efficiently get a picture of a company's fundamental security and to identify attack vectors into the organization.
Unlike vulnerability assessments, ethical hacking takes into account mitigating controls and the potential impact of a vulnerability. Using the human factor, aka "Social engineering", often piecing together identified vulnerabilities in order to understand the potential impact of those vulnerabilities and to dive deeper into the environment, well past layer one of your systems security.
Many factors are considered when performing a risk analysis. A risk analysis doesn't require any scanning tools or applications – it’s a discipline that analyzes a specific vulnerability (such as a line item from a penetration test) and attempts to ascertain the risk – including financial, reputational, business continuity, regulatory and others - to the company if the vulnerability were to be exploited.
When a risk analysis is completed, a final risk rating with mitigating controls that can further reduce the risk. Business decision makers can then take the risk analysis, suggested mitigation controls and decide whether or not to implement them.
In summary, a technician runs a vulnerability scan while a hacker performs a penetration test. The tools used for a penetration test are varied and dynamic, but it is not the tool that performs the test; rather it is actually the tester.
Vulnerability Assessments are often automated and looks for known vulnerabilities in your systems and reports potential exposures. A vulnerability assessment answers the question: “What are our weaknesses and how do we fix them?”
Penetration Assessments are designed to actually exploit weaknesses in the architecture of your systems. A penetration assessment simply answers the questions: “Can someone break-in and what can they attain?”
Ideally, you will want to run a penetration test once a year. Vulnerability scans should be run continuously.
NOTE: Penetration tests should be run by an outside consultancy so that the benefit of independence can be garnered.
Together penetration testing and vulnerability scanning are powerful tools used to monitor and improve information security programs.
Misunderstanding can put your company at risk – and cost you a lot of money!
Still have more questions on where to get started or need assistance on conducting an evaluation of your organization’s security posture?
Contact Digital4nx Group, Ltd. to find your organizations information security weaknesses and the valuable assets an advanced threat can obtain.
Digital4nx Group, Ltd. provides Digital Forensic Investigations, Electronic Discovery Consulting and Advisory Service, Incident Response to Data Breaches and Cyber Security services such as “Ethical Hacking”.
LinkedIn | Twitter | Email | Speaking Events