Digital4nx Group, Ltd.

  • About Us
    • Who We Serve
    • Close
  • Digital Litigation Support Services
    • Digital Forensic Investigations
    • Electronic Discovery Hosting, Consulting, and Advisory
    • Early Case Assessment
    • Expert Witness Testimony
    • Close
  • Cyber Security Services
    • Advanced Ethical Hacking
    • Vulnerability Assessment
    • Post-Breach Incident Response
    • Cyber Awareness Training
    • Cyber Risk and Compliance Assessment
    • CISO-As-A-Service
    • Close
  • News and Case Studies
  • Events
  • Contact Us
    • Subscribe to Newsletter
    • Close
You are here: Home / Educational / What is the right type of security assessment for your firm?

What is the right type of security assessment for your firm?

May 23, 2016 by Rob Kleeger

THE MOST COMMON QUESTION WHEN EVALUATING WHICH SOLUTION IS THE BEST FIT FOR YOUR ORGANIZATION IS:

” What’s the difference between a vulnerability assessment and penetration assessment? “

THE TWO ARE OFTEN INCORRECTLY USED INTERCHANGEABLY DUE TO MARKETING HYPE AND OTHER INFLUENCES WHICH HAS OFTEN CREATED MUCH CONFUSION.

WITH THAT IN MIND, I’D LIKE TO TRY TO CLARIFY THE DISTINCTIONS BETWEEN VULNERABILITY ASSESSMENTS AND PEN TESTS AND HOPEFULLY ELIMINATE SOME OF THE CONFUSION.

From our perspective, a Vulnerability Assessment, deploys an automated tool which scans the IT infrastructure and reports the results. The tool’s job is to identify all systems and the associated applications and services they are running.  Based on this information, the tool attempts to identify issues such as missing patches, default passwords, and known exploits. All the problems the tool has identified are then presented in a vulnerability assessment report.

It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them.

“vulnerability assessments are most often confused with penetration tests and often used interchangeably, but they are worlds apart.”

A Penetration Assessment simulates a real-world attacker which takes actions on the external and/or internal systems that aim to breach the information security of the organization. Using many tools and techniques, the penetration tester aka “ethical hacker”, attempts to exploit critical systems and gain access and/or administrative control to sensitive data.

This assessment typically uses vulnerability scanning as well as other manual proprietary methods tools to efficiently get a picture of a company’s fundamental security and to identify attack vectors into the organization.

Unlike vulnerability assessments, ethical hacking takes into account mitigating controls and the potential impact of a vulnerability. Using the human factor, aka “Social engineering”, often piecing together identified vulnerabilities in order to understand the potential impact of those vulnerabilities and to dive deeper into the environment, well past layer one of your systems security.

Many factors are considered when performing a risk analysis.  A risk analysis doesn’t require any scanning tools or applications – it’s a discipline that analyzes a specific vulnerability (such as a line item from a penetration test) and attempts to ascertain the risk – including financial, reputational, business continuity, regulatory and others –  to the company if the vulnerability were to be exploited.    

When a risk analysis is completed, a final risk rating with mitigating controls that can further reduce the risk. Business decision makers can then take the risk analysis, suggested mitigation controls and decide whether or not to implement them.

In summary,  a technician runs a vulnerability scan while a hacker performs a penetration test. The tools used for a penetration test are varied and dynamic, but it is not the tool that performs the test; rather it is actually the tester.

Vulnerability Assessments are often automated and looks for known vulnerabilities in your systems and reports potential exposures. A vulnerability assessment answers the question: “What are our weaknesses and how do we fix them?”

Penetration Assessments are designed to actually exploit weaknesses in the architecture of your systems. A penetration assessment simply answers the questions: “Can someone break-in and what can they attain?”

Ideally, you will want to run a penetration test once a year. Vulnerability scans should be run continuously.

NOTE: PENETRATION TESTS SHOULD BE RUN BY AN OUTSIDE CONSULTANCY SO THAT THE BENEFIT OF INDEPENDENCE CAN BE GARNERED.

Together penetration testing and vulnerability scanning are powerful tools used to monitor and improve information security programs.

Misunderstanding can put your company at risk – and cost you a lot of money!

STILL HAVE MORE QUESTIONS ON WHERE TO GET STARTED OR NEED ASSISTANCE ON CONDUCTING AN EVALUATION OF YOUR ORGANIZATION’S SECURITY POSTURE?

Contact Digital4nx Group, Ltd. to find your organizations information security weaknesses and the valuable assets an advanced threat can obtain.

Digital4nx Group, Ltd. provides Digital Forensic Investigations, Electronic Discovery Consulting and Advisory Service, Incident Response to Data Breaches and Cyber Security services such as “Ethical Hacking”.
LinkedIn | Twitter | Email | Speaking Events

Filed Under: Educational Tagged With: CYBERSECURITY, PENETRATION ASSESSMENT, SECURITY, VULNERABILITY ASSESSMENT

Case Studies

  • Rob Kleeger participates in the 2020 Small Business Council Cybersecurity Event
  • Working Smart, Not Hard… Remotely: Cybersecurity tips in a COVID-19 World
  • Rob Kleeger speaks on panel to plan fiduciaries at Worldwide Employee Benefits Network NY Chapter
  • Rob Kleeger Returns as Guest Lecturer to Seton Hall Law School
  • LAWYERS: BEWARE OF PHISHING EMAILS

Categories

  • Announcement
  • Article
  • Case Studies
  • Educational
  • Events
  • Press Release
  • Seminar
  • Webinar

Rob KleegerFollow

Rob Kleeger
Digital4nxRob Kleeger@Digital4nx·
30 Dec

Thank you for being a member of the Digital4nx Group Family. Whatever your Digital Litigation Support or Cyber Security needs are, we'll be happy to find the right solutions for you now, and in the years to come.

Wishing you and your loved one's a safe,…https://lnkd.in/grsqm2W

Reply on Twitter 1344366645087596544Retweet on Twitter 1344366645087596544Like on Twitter 1344366645087596544Twitter 1344366645087596544
Digital4nxRob Kleeger@Digital4nx·
18 Dec

Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”. https://lnkd.in/gvveFdU

Reply on Twitter 1340083416767721472Retweet on Twitter 1340083416767721472Like on Twitter 1340083416767721472Twitter 1340083416767721472
Digital4nxRob Kleeger@Digital4nx·
8 Oct

In case you didn't see this post the 1st time...you won't believe what you are reading. https://lnkd.in/giSEpGf

Reply on Twitter 1314341941027299329Retweet on Twitter 1314341941027299329Like on Twitter 1314341941027299329Twitter 1314341941027299329
Digital4nxRob Kleeger@Digital4nx·
23 Jul

"We need to find solutions that ensure people of color receive fair and equal treatment AND that police officers – who put their lives on the line every day to protect us all – are respected and supported." https://lnkd.in/dEakP4R

Reply on Twitter 1286116624370741260Retweet on Twitter 1286116624370741260Like on Twitter 1286116624370741260Twitter 1286116624370741260
Digital4nxRob Kleeger@Digital4nx·
7 Apr

Digital4nx Group, Ltd. And I thank the @NJSBDC and America's SBDC for the opportunity to help educate #SMB's across America in this unprecedented time. #wfhsecurely #wfhtips #WFH
#staysecure https://lnkd.in/eFZVBVM

Reply on Twitter 1247582448717836288Retweet on Twitter 1247582448717836288Like on Twitter 1247582448717836288Twitter 1247582448717836288
Load More...

Digital Litigation Support Service

  • DLSS – Digital Litigation Support Services
  • Digital Forensic Investigations
  • Electronic Discovery Hosting, Consulting, and Advisory
  • Early Case Assessment
  • Expert Witness Testimony

Cyber Security Services

  • Cyber Security Services
  • Advanced Ethical Hacking
  • Vulnerability Assessment
  • Post-Breach Incident Response
  • Cyber Awareness Training
  • Cyber Risk and Compliance Assessment
  • CISO-As-A-Service

Case Studies

  • Rob Kleeger participates in the 2020 Small Business Council Cybersecurity Event
  • Working Smart, Not Hard… Remotely: Cybersecurity tips in a COVID-19 World
  • Rob Kleeger speaks on panel to plan fiduciaries at Worldwide Employee Benefits Network NY Chapter

Contact Us

Digital4nx Group, Ltd.
8 S. Main St - Unit 70,
Marlboro Township, NJ 07746
info@digital4nxgroup.com
732-786-4062

Subscribe to Newsletter
© 2019 Digital4nx Group, Ltd. | All Rights Reserved. Sitemap · Privacy Policy