Vulnerability Assessment vs. Penetration Testing – “Yea, that’s what I want!”
As I continue to engage prospective clients regarding their security needs, there seems to be clear confusion in the industry regarding the difference between Vulnerability Assessments and Penetration Testing.
Surprisingly, whether you are required to conduct security assessments due to regulatory requirements or if you are simply taking steps to establish or verify your current security controls, a Vulnerability Assessment is the answer.
By design, Vulnerability Assessments are a non-intrusive way to identify and quantify security vulnerabilities that exist in your environment. The assessment is an evaluation of your information security posture which should include indicating weaknesses as well as provide appropriate mitigation steps to either eliminate or reduce weaknesses to an acceptable level of risk. In most cases, a Vulnerability Assessment will follow these four steps:
- Catalog Assets and Resources
- Identify Critical Resources, Processes, and Policies
- Highlight Security Vulnerabilities as they relate to the identified resources, processes, and policies.
- Provide Actionable Steps to Mitigate and/or Eliminate the most serious vulnerabilities identified.
“Although Vulnerability Assessments and Penetration Testing are combined to provide clients with a broader picture of their security posture, they differ drastically.”
In contrast to a Vulnerability Assessment, a Penetration Test is meant to exploit known and unknown vulnerabilities on a client’s network. Depending on the type and scope of a Penetration Test, they vary from non-intrusive to very intrusive – very intrusive tests require execution during off-hours to mitigate performance issues and/or outages. Engineers and Security experts essentially are paid to “hack” a client’s system. Many vendors price and position this service differently – speaking for Weidenhammer, our Team first determines the environment in which the test is to occur; we carefully discuss and review the rationale for the test to ensure we execute the right test for each situation; and finally we ask the client how far they wish us to take the test. In most cases, demonstrating that we were able to gain access is enough, and in others, clients ask our Team to go as far as they can – penetrate the network, exploit servers and other hardware/software in an effort to gauge how far the “rabbit hole” goes.
So what is right for you?
Well, it depends on your current security posture and confidence in your security program. In addition, regulatory and compliance requirements should play a factor in the decision. However, in most cases, a Vulnerability Assessment is the ideal first step. It helps organizations identify potential threats and provides a roadmap to assist them in closing those gaps within their infrastructure.
Always consult Certified Information Security Professionals when planning an assessment or penetration test. These providers can help you make the right choice for your individual needs.
Weidenhammer offers both Vulnerability Assessments and Penetration Testing – for more information on our Security Practice, please contact: Anthony Cartolaro, Senior Consultant, Weidenhammer Consulting Group.
Thought Leader – Knowledge Leader – Trusted Advisor – Weidenhammer is the Difference