Vulnerability Assessments Versus Penetration Tests

As information security professionals, most of you are familiar with vulnerability assessments and penetration testing (pen tests for short).

Both are valuable tools that can benefit any information security program and they are both integral components of a Threat and Vulnerability Management process.

Are These Information Security Services the Same?

The two are often incorrectly used interchangeably due to marketing hype and other influences which has created confusion and wasted resources for many enterprises. With that in mind, I'd like to try to clarify the distinctions between vulnerability assessments and pen tests and hopefully eliminate some of the confusion.

What is a Vulnerability Assessment?

Defined, a vulnerability assessment is the process of identifying and quantifying security vulnerabilities in an environment. It is an in-depth evaluation of your information security posture, indicating weaknesses as well as providing the appropriate mitigation procedures required to either eliminate those weaknesses or reduce them to an acceptable level of risk.

Vulnerability Assessments Follow These General Steps

1. Catalogue assets and resources in a system
2. Assign quantifiable value and importance to the resources
3. Identify the security vulnerabilities or potential threats to each resource
4. Mitigate or eliminate the most serious vulnerabilities for the most valuable resources

What is a Penetration Test?

A penetration test simulates the actions of an external and/or internal cyber attacker that aims to breach the information security of the organization. Using many tools and techniques, the penetration tester (ethical hacker) attempts to exploit critical systems and gain access to sensitive data.

Additional Penetration Testing Services and Types

Depending on the scope, a pen test can expand beyond the network to include social engineering attacks or physical security tests. Also, there are two primary types of pen tests: "white box", which uses vulnerability assessment and other pre-disclosed information, and "black box", which is performed with very little knowledge of the target systems and it is left to the tester to perform their own reconnaissance.

Penetration Testing Follow These General Steps

1. Determination of scope
2. Targeted information gathering or reconnaissance
3. Exploit attempts for access and escalation
4. Sensitive data collection testing
5. Clean up and final reporting

Which Information Security Service Is Best for My Organization?

Well, the answer to that question should be determined by your current security posture. Unless both leadership and technical personnel are very confident in their security posture and already have a vulnerability assessment process in place, most organizations will be much better served by having a third-party conduct a vulnerability assessment. This is because of the fundamental difference in approach between a vulnerability assessment and penetration test. A vulnerability assessment answers the question: "What are our weaknesses and how do we fix them?" Penetration testing simply answers the questions: "Can someone break-in and what can they attain?" A vulnerability assessment works to improve security posture and develop a more mature, integrated security program, whereas a pen test is only a snapshot of your security program's effectiveness. Because of its approach, a vulnerability assessment is going to yield much more value for most enterprises than a pen test.

With all of that to consider, most organizations should start with a vulnerability assessment, act on its results to the best of their abilities and then opt for a "white box" pen test if they are confident in their improved security posture. Once an organization has gone through these steps successfully, they should then consider having a "black box" penetration test performed by a different third-party vendor for due diligence. If you've completed these, chances are that your organization's security posture has improved dramatically.

But as with all things security, it doesn't end there. As processes within a Threat and Vulnerability Management program, both vulnerability assessments and pen tests need to be performed periodically to ensure continuous security posture improvement.