In this post we will take a quick look at the differences between vulnerability assessment (VA) and penetration testing (PT). Furthermore, we’ll give a set of questions that should help you decide which service is the best choice for your particular case.
So let’s say you want to improve the security of your internal network infrastructure and you have to choose between VA and PT – offered by your favorite consultancy firm. First of all, let’s see what they are.
Vulnerability Assessment – is the process of identifying and prioritizing technical vulnerabilities which affect a target system or network. It is mainly done automatically using a vulnerability scanner and it’s usually aimed at a wide area of machines. The purpose of a VA is to find as many vulnerabilities as possible in the given time frame. Optionally, manual validation may be included for the critical findings but this is not usually done when a high number of vulnerabilities are involved.
Penetration Testing – is a goal-based simulation of a real attack. The pentesters will search for a chain of vulnerabilities in the target system/network and exploit them to reach their target (e.g. gain access to a client database, obtain sensitive information, gain Domain Admin, etc). The pentest report will contain only the vulnerabilities encountered during the attack against the target and no additional checks are being made. However, the reported vulnerabilities are 100% validated and their risk for the business is accurate.
Neither VA, nor PT should be confused with the security audit which is a totally different service.
Questionnaire
Here are 5 questions that should help you decide which service is best for your situation:
| 1. What is your goal for this test? | |
| Find as many vulnerabilities as possible or Obtain a baseline for security in your internal network |
VA |
| Simulate the activities of an internal attacker and see how far he can get into your network | PT |
| 2. How do you currently perceive the security status of your network? | |
| I know I have multiple holes in my network or I don’t know |
VA |
| I do periodic vulnerability checks and I implement security fixes – I should be pretty secure | PT |
| 3. Have you ever done VA or PT to your network? | |
| No | VA |
| Yes | PT |
| 4. Do you want to impress management with significant findings (and maybe obtain funding)? | |
| No | VA |
| Yes | PT |
| 5. Want to verify the ability of your IT/security staff to respond to cyber attacks? | |
| No | VA |
| Yes | PT |
Conclusion
When choosing a consultancy service to improve the security of your systems/network you should be aware of its advantages and disadvantages.
As a conclusion, penetration tests should be done when your organization has a decent maturity level regarding security controls and internal IT processes. The real benefits of a penetration test can be obtained after one or multiple vulnerability assessments have been performed on the target system/network.
On the other hand, vulnerability assessments should be done periodically to achieve a baseline of security for your systems/network and to make sure that you don’t miss significant holes. These can also be performed in-house by the system administrators, using free or commercial tools.
And finally, the main purpose of securing your systems/network can only be reached if your company actually implements the corrective measures suggested in the VA/PT reports. Periodic verification is also necessary.
Security Café 