We get asked this question frequently, “What the difference between a vulnerability assessment and penetration assessment?”. It’s a great question and one we’d like to shed a bit more light on throughout this blog. Both engagements are aimed towards shedding light on areas within your cybersecurity posture that need improvement. We regularly perform vulnerability assessments and penetration tests for our clients tasked by regulatory compliance to adhere to a particular standard or to increase their security posture. Both of these tests play an important role within your organization by enlightening you on areas of weakness and decreasing risk from adversaries.
Vulnerability assessments are essentially scans of systems or applications to determine where they’re vulnerable to attack. This can include a lack of patching, obsolete software running, misconfigurations, etc that the system is open to exploit. The vulnerability assessment is a discovery of where your systems and applications are at risk of attackers exploiting a weakness within your network. We commonly see these done on a quarterly basis, but we recommend having them done as frequently as possible. From my opinion, you’re only as valid as your latest scan and in an environment that’s constantly changing and where new exploits are constantly being discovered, the more frequent a scan the better.
We also recommend that organizations add vulnerability management to their change management program. After making a change, especially one that’s public facing or touching sensitive systems or data, we recommend it be tested for vulnerabilities as to not introduce new exposure to your organization. Metrics should be included regarding the findings of each vulnerability scan and remediation efforts added to remediate the exposure by fixing the issue or putting in compensating controls to limit the threat after the vulnerabilities have been discovered.
Vulnerability management is a continuous process to discover exposures and vulnerabilities within your current systems. We help organizations apply this towards hardening their security posture and meeting compliance requirements they abide by within their industries. These are mainly very automated and can be scheduled at a particular frequency with the results being delivered by the vulnerability management systems in place. At CCSI, we perform this as a service and take the effort of managing the program for you.
Penetration testing still has the same end goal, to determine weaknesses within an organization, but aren’t always focused on just identifying vulnerabilities in your organization. The point of the penetration test is to actually exploit the vulnerabilities found. Consider this an active approach to determining where your organization is at risk. Whereas with vulnerability management there is usually a single tool being used to perform the scan on an automated basis for known vulnerabilities, penetration tests are more manual and don’t lock a tester into using a single tool.
These assessments are based off the experience of the tester acting as an adversary in your network to compromise your systems and applications. During penetration tests its possible vulnerability management tools will be used to determine exposure, but it’s not always the case. We don’t see attackers gain access into networks and start scanning for vulnerabilities if they’re looking to stay hidden. During the penetration test we look to act as an attacker and include phishing and social engineering campaigns as part of the assessment. Throughout the test we’re looking to determine the effectiveness of the people, process and technology to determine if an organization is able to detect and mitigate attackers.
There are normally rules of engagement on what’s important for the client during the test and for the third party penetration testers to use as objectives. After an engagement is completed a report is created with findings and recommendations on what was found and how to remediate these issues. We don’t see penetration tests done as often as vulnerability management scans, but we do recommend a bi-annual test of the external, internal and applications or if there’s any significant changes done to infrastructure or applications, especially public facing ones.
If you still have questions on the differences between a vulnerability assessment and a penetration test, or if you’re looking to get a better idea of how CCSI can assist you on either one, please contact us today
Author Bio: Matthew Pascucci Is the Cybersecurity Practice Manager at CCSI with over 16 years’ experience in IT focusing on Cybersecurity. Previously he’s worked in the manufacturing, financial, ecommerce, healthcare and service industries developing security programs for his employers.
He joined CCSI to develop a Cybersecurity practice that includes managed security services, penetration testing, and risk assessments for organizations of every size and vertical. Personally, he holds multiple information security certifications and has had the opportunity to write and speak about cybersecurity for the past decade. Matt is a Privacy Advocate and Security Blogger and has hundreds of publicly published articles and presentations. He’s the founder of www.frontlinesentinel.com and a board member on the local chapters of InfraGard and OWASP. Matthew can be contacted via his blog, on Twitter @matthewpascucci, or via email firstname.lastname@example.org