When discussing security measures with our customers, we are often asked about penetration testing and vulnerability assessments. And, most often, those conversations include the question, “is there is a difference between the two?”.
We believe that’s certainly a question worth asking because many people use the two terms interchangeably, but they are different activities.
To really get into the nitty gritty of understanding the difference, here are some key factors to consider.
Let’s start with what a vulnerability assessment actually is?
A vulnerability assessment uses a vulnerability scanning tool to check your systems for known vulnerabilities, without manually exploiting any vulnerabilities discovered. In a non-technical analogy, imagine a criminal intending to break into your office building-they spend time identifying the entrance points and perhaps if there are any weak locks or open windows, but not entering. The results of the scan will show how an application, website or other system is vulnerable, but it does not provide details on what would happen if the vulnerability was exploited.
And a penetration test?
Well, a penetration test goes deeper. In our burglar scenario, this time they are checking the entrances and then actually making the most of the weaknesses and entering the building (with permission, of course!). So, essentially, it is a method of identifying and testing vulnerabilities or gaps in IT security that could be exploited in external or internal infrastructure, leaving your business at greater risk.
This testing format is a methodical examination of a network, system or application by qualified security experts. Their goal is to exploit the vulnerabilities and misconfigurations they find so they can determine their potential impact. Some may call this ‘ethical hacking’. Consultants work to a defined methodology to exploit vulnerabilities and misconfigurations present within the network, system or application, using their experience, Open Source information, and a wide range of tools. Once gaps have been identified and tested in your systems and networks, they provide expert advice for strengthening your defences.
So, what exactly is included in each?
Each penetration test will be different and will depend on what is being tested, but in terms of a very generic test versus a vulnerability assessment, here’s a visual look:
(Viewing on a mobile device? Scroll across the table below to see further information)
|Description||Vulnerability Assessment||Penetration Test|
|Documenting of requirements and scope||X||X|
|Passive information gathering||X|
|Active information gathering||X||X|
|Automated vulnerability scan||X||X|
|Application/infrastructure exploit pivoting||X|
|System restoration to pre-test state: removal of test files, software and accounts||X|
|Vulnerability report (system generated)||X|
|Detailed summary on overall security posture||X|
|Customised remediation advice||X|
You can see that penetration tests are much more in-depth than vulnerability assessments. While a penetration test generally includes an initial automated vulnerability scan, it’s the manual exploitation of those vulnerabilities that requires a wide range of skills and time.
Why would a business choose to have a vulnerability assessment?
Think of a vulnerability assessment as a one-size-fits-all automated scan that identifies the most common vulnerabilities. It’s cheaper and faster because it isn’t doesn’t require as many resources. It some ways, it could be considered as a health check, like running a virus scan on a laptop, except you’re running the scan across a network.
A vulnerability assessment is often conducted as a mandatory exercise as part of complying with regulatory requirements, like ISO 27001 or PCI DSS. But it’s important to keep in mind that there are limits to a vulnerability assessment because it can’t explain how a hacker might use that vulnerability to compromise a system. There is also the possibility of false positive/negatives, so it’s important to verify automated results with multiple tools or manual methods.
Why would a business choose to have a penetration test?
A penetration test is a level up from just ‘ticking a box’. The testing is conducted by humans who understand not just the technical side, but also the subtleties of how businesses work-something automated scanning software isn’t capable of-so, they can ask questions when something doesn’t look right (which is important for ongoing business operations).
So, how do you decide which service your organisation needs?
There are a number of variables to consider when deciding which service you need, such as what you’re testing and your risk appetite.
For example, if the asset is low value (i.e. compromise wouldn’t have a devasting effect on operations or reputation), then a vulnerability assessment is probably adequate. However, if the asset is high value (i.e. a breach or failure could cause operational disruption and revenue loss or reputational damage), then it becomes a prime target for threat actors who invest time into finding more ingenious ways to compromise and gain access.
At the end of the day, if you’re not sure it’s worth asking someone who understands your infrastructure so you can make an informed decision.
Both services will provide you with a report that explains the findings, the criticality of those findings, and suggested remediation advice. But the vulnerability assessment report won’t cover impact or exploit information, as this can only be gathered by exploiting the vulnerabilities.
An important note about how often
New vulnerabilities are discovered regularly, so regardless of the service you choose, it is strongly recommended that they are conducted regularly and the type of service you need is reviewed. It is even more important if you are introducing new technologies to the workplace, moving to the cloud, outsourcing IT, have experienced a breach in the past, or aren’t confident you know how mature your security is.
How can BOM IT help?
Penetration testing and vulnerability assessments are important parts of mitigating cyber risk. We have worked across a range of industries, finding vulnerabilities that can easily be missed in web applications and IT infrastructure. Help your IT department secure your business and contact us to discuss how we can make the process easier. Call 0800 038 7222 or email firstname.lastname@example.org to organise a consultation that works for you and your business.
For more information and for a free consultation to discuss supply chain risk or any other technology requirement for your business please call us on 0800 038 7222 or complete the contact form below.