Digital4nx Group, Ltd.

  • About Us
    • Who We Serve
    • Close
  • Digital Litigation Support Services
    • Digital Forensic Investigations
    • Electronic Discovery Hosting, Consulting, and Advisory
    • Early Case Assessment
    • Expert Witness Testimony
    • Close
  • Cyber Security Services
    • Advanced Ethical Hacking
    • Vulnerability Assessment
    • Post-Breach Incident Response
    • Cyber Awareness Training
    • Cyber Risk and Compliance Assessment
    • CISO-As-A-Service
    • Close
  • News and Case Studies
  • Events
  • Contact Us
You are here: Home / Educational / What is the right type of security assessment for your firm?

What is the right type of security assessment for your firm?

May 23, 2016 by Rob Kleeger

THE MOST COMMON QUESTION WHEN EVALUATING WHICH SOLUTION IS THE BEST FIT FOR YOUR ORGANIZATION IS:

” What’s the difference between a vulnerability assessment and penetration assessment? “

THE TWO ARE OFTEN INCORRECTLY USED INTERCHANGEABLY DUE TO MARKETING HYPE AND OTHER INFLUENCES WHICH HAS OFTEN CREATED MUCH CONFUSION.

WITH THAT IN MIND, I’D LIKE TO TRY TO CLARIFY THE DISTINCTIONS BETWEEN VULNERABILITY ASSESSMENTS AND PEN TESTS AND HOPEFULLY ELIMINATE SOME OF THE CONFUSION.

From our perspective, a Vulnerability Assessment, deploys an automated tool which scans the IT infrastructure and reports the results. The tool’s job is to identify all systems and the associated applications and services they are running.  Based on this information, the tool attempts to identify issues such as missing patches, default passwords, and known exploits. All the problems the tool has identified are then presented in a vulnerability assessment report.

It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them.

“vulnerability assessments are most often confused with penetration tests and often used interchangeably, but they are worlds apart.”

A Penetration Assessment simulates a real-world attacker which takes actions on the external and/or internal systems that aim to breach the information security of the organization. Using many tools and techniques, the penetration tester aka “ethical hacker”, attempts to exploit critical systems and gain access and/or administrative control to sensitive data.

This assessment typically uses vulnerability scanning as well as other manual proprietary methods tools to efficiently get a picture of a company’s fundamental security and to identify attack vectors into the organization.

Unlike vulnerability assessments, ethical hacking takes into account mitigating controls and the potential impact of a vulnerability. Using the human factor, aka “Social engineering”, often piecing together identified vulnerabilities in order to understand the potential impact of those vulnerabilities and to dive deeper into the environment, well past layer one of your systems security.

Many factors are considered when performing a risk analysis.  A risk analysis doesn’t require any scanning tools or applications – it’s a discipline that analyzes a specific vulnerability (such as a line item from a penetration test) and attempts to ascertain the risk – including financial, reputational, business continuity, regulatory and others –  to the company if the vulnerability were to be exploited.    

When a risk analysis is completed, a final risk rating with mitigating controls that can further reduce the risk. Business decision makers can then take the risk analysis, suggested mitigation controls and decide whether or not to implement them.

In summary,  a technician runs a vulnerability scan while a hacker performs a penetration test. The tools used for a penetration test are varied and dynamic, but it is not the tool that performs the test; rather it is actually the tester.

Vulnerability Assessments are often automated and looks for known vulnerabilities in your systems and reports potential exposures. A vulnerability assessment answers the question: “What are our weaknesses and how do we fix them?”

Penetration Assessments are designed to actually exploit weaknesses in the architecture of your systems. A penetration assessment simply answers the questions: “Can someone break-in and what can they attain?”

Ideally, you will want to run a penetration test once a year. Vulnerability scans should be run continuously.

NOTE: PENETRATION TESTS SHOULD BE RUN BY AN OUTSIDE CONSULTANCY SO THAT THE BENEFIT OF INDEPENDENCE CAN BE GARNERED.

Together penetration testing and vulnerability scanning are powerful tools used to monitor and improve information security programs.

Misunderstanding can put your company at risk – and cost you a lot of money!

STILL HAVE MORE QUESTIONS ON WHERE TO GET STARTED OR NEED ASSISTANCE ON CONDUCTING AN EVALUATION OF YOUR ORGANIZATION’S SECURITY POSTURE?

Contact Digital4nx Group, Ltd. to find your organizations information security weaknesses and the valuable assets an advanced threat can obtain.

Digital4nx Group, Ltd. provides Digital Forensic Investigations, Electronic Discovery Consulting and Advisory Service, Incident Response to Data Breaches and Cyber Security services such as “Ethical Hacking”.
LinkedIn | Twitter | Email | Speaking Events

Filed Under: Educational Tagged With: CYBERSECURITY, PENETRATION ASSESSMENT, SECURITY, VULNERABILITY ASSESSMENT

Case Studies

  • LAWYERS: BEWARE OF PHISHING EMAILS
  • Digital4nx Group Case Study: “Holy SH IT Co: Former IT Exec Cited For Anti-Forensic Program Use”
  • Digital4nx Group Case Study: “The ReelLife or Just Fantasy?”      
  • Is Cyber Fatigue putting everyone in danger?
  • Digital4nx Group Case Study: “You Can Bank On Our Help”       

Categories

  • Announcement
  • Article
  • Case Studies
  • Educational
  • Events
  • Press Release
  • Seminar
  • Webinar

Rob KleegerFollow

PASSIONATE DIGITAL FORENSIC AND DATA SECURITY ENTHUSIAST; FATHER; TRUSTED ADVISOR TO MANY; ENTREPRENEUR; CLIENT ADVOCATE; DEALS W/ HIGH INTEGRITY AND NO B.S.

Rob Kleeger
Digital4nxRob Kleeger@Digital4nx·
12 Dec

Hey Business Owners - Tis the season for resignations and terminated employees #IPtheft #restrictive_covenants @Digital4nx #NonCompete #TradeSecret type cases.

https://www.digital4nxgroup.com/category/case-studies/

Reply on Twitter 1204923374457278464Retweet on Twitter 1204923374457278464Like on Twitter 1204923374457278464Twitter 1204923374457278464
Digital4nxRob Kleeger@Digital4nx·
10 Dec

There often is nothing good about Ransomware, however what was once "better" has gone to worse. In general, those who had paid the ransom were able to decrypt and retrieve their data...Due to a recent change in the Ryuk Ransomware,…https://lnkd.in/djsCQ6Y https://lnkd.in/dgKmyer

Reply on Twitter 1204421993094889477Retweet on Twitter 1204421993094889477Like on Twitter 1204421993094889477Twitter 1204421993094889477
Digital4nxRob Kleeger@Digital4nx·
29 Nov

https://lnkd.in/ezPised https://lnkd.in/eQ4gsSW

Reply on Twitter 1200469728231333888Retweet on Twitter 1200469728231333888Like on Twitter 1200469728231333888Twitter 1200469728231333888
Digital4nxRob Kleeger@Digital4nx·
28 Nov

https://lnkd.in/e2MAGEx

Reply on Twitter 1200195184409100288Retweet on Twitter 1200195184409100288Like on Twitter 1200195184409100288Twitter 1200195184409100288
Digital4nxRob Kleeger@Digital4nx·
24 Nov

Do you monitor if your email has been impacted by a data breach? If you do...then you likely received notification your information has been compromised...along with 1.2B People Exposed in Gigantic Leak. A database which contained…https://lnkd.in/eQpxCGj https://lnkd.in/e9WqDfR

Reply on Twitter 1198708522294423552Retweet on Twitter 1198708522294423552Like on Twitter 1198708522294423552Twitter 1198708522294423552
Load More...

Digital Litigation Support Service

  • DLSS – Digital Litigation Support Services
  • Digital Forensic Investigations
  • Electronic Discovery Hosting, Consulting, and Advisory
  • Early Case Assessment
  • Expert Witness Testimony

Cyber Security Services

  • Cyber Security Services
  • Advanced Ethical Hacking
  • Vulnerability Assessment
  • Post-Breach Incident Response
  • Cyber Awareness Training
  • Cyber Risk and Compliance Assessment
  • CISO-As-A-Service

Case Studies

  • LAWYERS: BEWARE OF PHISHING EMAILS
  • Digital4nx Group Case Study: “Holy SH IT Co: Former IT Exec Cited For Anti-Forensic Program Use”
  • Digital4nx Group Case Study: “The ReelLife or Just Fantasy?”      

Contact Us

Digital4nx Group, Ltd.
8 S. Main St - Unit 70,
Marlboro Township, NJ 07746
info@digital4nxgroup.com
732-786-4062

© 2019 Digital4nx Group, Ltd. | All Rights Reserved. Sitemap · Privacy Policy