Vulnerability assessments vs. penetration testing

Vulnerability assessments and penetration testing are both valuable forms of any information security programme, and these two tools allow business owners to gain important insights into their organisation. These valuable processes are part of any good information security threat and vulnerability management protocol. Often misidentified and used interchangeably, they are actually each very different at their core. Let’s take a look at the qualities of each and their applications in the world of business.

Vulnerability assessments

A vulnerability assessment is a process used by businesses to comprehensively and exhaustively examine a system for potential weaknesses by identifying these weaknesses and measuring them. These unwanted exposures could apply to the physical security of a business, the security of its personnel, or the security of a company’s technological systems and networks. Vulnerability assessments can include social engineering tests, scanning tools, and physical checks.

Generally, most large entities are looking for vulnerability assessments that specifically cover their systems and networks. A vulnerability assessment is meant to evaluate holes in security and produce a list of ways in which such vulnerabilities can be resolved or mitigated. Not all vulnerabilities must be resolved, but identifying them can help businesses understand where future threats might look to capitalise on a security weakness.

A vulnerability assessment is typically conducted by first taking an inventory of all assets and resources (valuable data) within an organisation’s system. These assets and resources are then reviewed, and the importance they have to the organisation is assigned a value. Then the potential vulnerabilities and threats to each asset and resource are cataloged.

Penetration testing

Penetration testing is very different from a vulnerability assessment, but you could say they go hand in hand and penetration testing piggybacks off the work of the vulnerability assessment. Penetration testing is meant to find a way to break into a company’s network by simulating the actions of an internal or external cyberattacker. This may require testing one vulnerability, or all identified vulnerabilities, to fully explore and identify if and where there may be the opportunity for a potentially dangerous and costly breach.

Penetration testing is meant to mirror what a cyberattacker (or Black Hat hacker) would do to try to gain access to critical systems within a company’s secure network. This type of testing can be considered ethical hacking (or White Hat hacking). Many companies hire White Hat hackers to routinely run penetration tests on their systems and preemptively identify security holes to assess a company’s level of risk.

Penetration testing is a time-consuming endeavour, but it can be a valuable effort when attempting to truly describe the nature of a security risk to stakeholders. With an actual example of the method of breach and the data that could be obtained, the true value of security measures begins to shine.

Penetration tests can extend beyond a company’s system network and include testing potential social engineering attacks or physical security tests. There are typically two types of penetration tests: 'white box' tests and 'black box' tests.

  • White Box Tests: These tests use known information and vulnerability assessments to try and breach security systems.
  • Black Box Tests: These tests require that the tester go in blind, with little to no information of the system or where potential vulnerabilities may lie before attempting to breach security systems.

A penetration test is typically conducted by first determining the scope of the test, then either gathering information on the valuable assets before testing (white box) or performing reconnaissance to identify valuable assets before testing (black box). After this has been completed, attempts to exploit vulnerabilities are performed, and if possible, sensitive data is collected. Once completed, this information is produced by way of report and presented to the proper individuals within the organisation for review.

Which tools are right for my organisation?

In general, a comprehensive approach is often the most recommended. But depending on how an organisation feels about the security of their current systems and the valuable data held within them, they may opt to perform a vulnerability assessment only, perform black box penetration testing only, use all of these tools at their disposal, or none.

Each organisation will have its own focus on systems security testing, and its own particular needs for such testing. If a vulnerability assessment has been performed previously and security systems remain fairly static in their structure, penetration testing may be employed more frequently and vulnerability testing less. An organisation that is already aware of their weaknesses and has addressed them may not have an immediate need for further vulnerability testing.

Organisations who have comprehensively used penetration testing to review their systems may feel that their risk is well-known and may not find a need to pursue such testing further. Vulnerability assessments tend to provide more overarching data, whereas a penetration test can only tell an organisation how secure their system is today. As part of a comprehensive and up-to-date information security program, penetration tests should be conducted routinely to ensure new threats are not capitalising on existing vulnerabilities.

In a changing organisation and in an evolving digital world, these tests should be conducted routinely to ensure a consistent understanding of the organisation’s current state of security and to remain confident that their valuable assets and resources are satisfactorily secure.

Eric Basu, CEO of Sentek Global